OAuth2 Plugin Error
Hi,
Juste clone the osticket-plugins repository, edit the file, and use make.php to build an updated phar file.
Hi,
I can confirm that setting prompt=login was the only way to make the plugin work with our Azure environment, even with discretionary user consent enabled.
Currently, it seems osTicket is unable to get an oAuth2 token from Azure as long as prompt=consent is used, as in Microsoft's implementation, this option is meant to require explicit/interactive admin approval for any new token issuance (see this link's last point). So unless I'm missing something, the current version of the plugin is unusable with Azure.
Setting prompt=login does fix this issue, while still enforcing user login to avoid using the wrong account. is it possible to push this change upstream in the plugin repository to avoid dealing with manual mods on future updates ?
Your statement is untrue. prompt=consent does work and will allow you to get a token. Maybe you have a different setup than most.
Cheers.
marinbernard-pep06
Thanks, I must be missing something because I tried using the make.php to make a new phar file, but kept getting an error about an unsupported make function, despite the function being listed in /help so I kinda gave up trying to remake it.
I can confirm that setting prompt=login was the only way to make the plugin work with our Azure environment, even with discretionary user consent enabled.
I couldn't find this option, could someone help from where I can make this change to give it a try?
It's in the plugin. You can unphar the plugin, change the plugin record in the database to remove .phar and change isphar to 0, then make the changes there.
Cheers.
I am not a programmer so unsure on how this can be done. If you could place some snapshots please?
- Edited
after making changes per Prompt = login , I had to reconfigure the Plugin from scratch also deleted the email address and added again, but after providing email address and password it redirects to localhost URL with the below error. Am i missing something?
How and where I need to enable URL rewriting on webserver? I am running apache2 with php8.0
Furthermore, I unphar the plugin , modified and made it .phar again instead of doing further changes on Database. So trying to work with .phar file after modifying it to "Prompt=login"
ok, I will do.
Also, would that work this way??
"Furthermore, I unphar the plugin , modified and made it .phar again instead of doing further changes on Database. So trying to work with .phar file after modifying it to "Prompt=login""
- Edited
If you packaged it correctly then yes, it should work. You will need to change the database back to add .phar and change isphar back to 1.
Cheers.
Hey Kevin, thanks for your help. The issue has been resolved now for us after making the modification (Prompt = Login) in Plugin and enabling the URL rewrite module on server.
Is there any update on this plugin or plans to change to 'prompt=login' in future? We're also unable to use it as our users can't consent themselves and admin consent is needed. This is a common setup in environments for security. Even when admin consent is granted, it won't work because prompt=consent forces the prompt each time, which is against Microsoft's best practice.
The developer has configured the application to require a consent prompt every time it is used (note: this behavior isn't best practice).
Following Microsoft's recommendations and best practices, many organizations have disabled or limited users' permission to grant consent to apps. If an application forces users to grant consent every time they sign in, most users will be blocked from using these applications even if an administrator grants tenant-wide admin consent. If you encounter an application which is requiring user consent even after admin consent has been granted, check with the app publisher to see if they have a setting or option to stop forcing user consent on every sign in.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-prompt
We've never had to rebuild a plugin before and it seems a bit heavy handed, especially for some of our staff who don't have much php or command line experience. It also means it's another thing to be aware of whenever upgrading osTicket/plugins as any new versions will break existing setups again.
Would it be possible to update the official plugin to use prompt=login as it would still accomplish the goal of confirming the email address?
KevinTheJedi I would like to ask why the basic authentication in Oauth2 is not working?
And also if i want to authenticate it with my active directory, how should i configure the email?
I do not understand your question. Basic Authentication and OAuth2 is completely different and separate.
Cheers.
