KevinTheJedi
bbour53

Hi,

I can confirm that setting prompt=login was the only way to make the plugin work with our Azure environment, even with discretionary user consent enabled.

Currently, it seems osTicket is unable to get an oAuth2 token from Azure as long as prompt=consent is used, as in Microsoft's implementation, this option is meant to require explicit/interactive admin approval for any new token issuance (see this link's last point). So unless I'm missing something, the current version of the plugin is unusable with Azure.

Setting prompt=login does fix this issue, while still enforcing user login to avoid using the wrong account. is it possible to push this change upstream in the plugin repository to avoid dealing with manual mods on future updates ?

        marinbernard-pep06

        Your statement is untrue. prompt=consent does work and will allow you to get a token. Maybe you have a different setup than most.

        Cheers.

          marinbernard-pep06
          Thanks, I must be missing something because I tried using the make.php to make a new phar file, but kept getting an error about an unsupported make function, despite the function being listed in /help so I kinda gave up trying to remake it.

            8 days later

            I can confirm that setting prompt=login was the only way to make the plugin work with our Azure environment, even with discretionary user consent enabled.

            I couldn't find this option, could someone help from where I can make this change to give it a try?

              abeermuh

              It's in the plugin. You can unphar the plugin, change the plugin record in the database to remove .phar and change isphar to 0, then make the changes there.

              Cheers.

                I am not a programmer so unsure on how this can be done. If you could place some snapshots please?

                after making changes per Prompt = login , I had to reconfigure the Plugin from scratch also deleted the email address and added again, but after providing email address and password it redirects to localhost URL with the below error. Am i missing something?

                  abeermuh

                  You either messed something up or URL rewriting is not enabled on your webserver.

                  Cheers.

                    How and where I need to enable URL rewriting on webserver? I am running apache2 with php8.0

                    Furthermore, I unphar the plugin , modified and made it .phar again instead of doing further changes on Database. So trying to work with .phar file after modifying it to "Prompt=login"

                      ok, I will do.

                      Also, would that work this way??
                      "Furthermore, I unphar the plugin , modified and made it .phar again instead of doing further changes on Database. So trying to work with .phar file after modifying it to "Prompt=login""

                        abeermuh

                        If you packaged it correctly then yes, it should work. You will need to change the database back to add .phar and change isphar back to 1.

                        Cheers.

                          Hey Kevin, thanks for your help. The issue has been resolved now for us after making the modification (Prompt = Login) in Plugin and enabling the URL rewrite module on server.

                          Is there any update on this plugin or plans to change to 'prompt=login' in future? We're also unable to use it as our users can't consent themselves and admin consent is needed. This is a common setup in environments for security. Even when admin consent is granted, it won't work because prompt=consent forces the prompt each time, which is against Microsoft's best practice.

                          The developer has configured the application to require a consent prompt every time it is used (note: this behavior isn't best practice).

                          Following Microsoft's recommendations and best practices, many organizations have disabled or limited users' permission to grant consent to apps. If an application forces users to grant consent every time they sign in, most users will be blocked from using these applications even if an administrator grants tenant-wide admin consent. If you encounter an application which is requiring user consent even after admin consent has been granted, check with the app publisher to see if they have a setting or option to stop forcing user consent on every sign in.
                          https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-prompt

                          We've never had to rebuild a plugin before and it seems a bit heavy handed, especially for some of our staff who don't have much php or command line experience. It also means it's another thing to be aware of whenever upgrading osTicket/plugins as any new versions will break existing setups again.

                          Would it be possible to update the official plugin to use prompt=login as it would still accomplish the goal of confirming the email address?

                            a month later

                            KevinTheJedi I would like to ask why the basic authentication in Oauth2 is not working?
                            And also if i want to authenticate it with my active directory, how should i configure the email?

                                xomxom

                                I do not understand your question. Basic Authentication and OAuth2 is completely different and separate.

                                Cheers.

                                    xomxom I would like to ask why the basic authentication in Oauth2 is not working?

                                    Basic Authentication and OAuth2 have nothing to do with each other?
                                    You cannot use Basic Auth in OAuth2.
                                    Basic Authentication is one way to authenticate.
                                    OAuth2 is another way to authenticate.
                                    Companies like Microsoft and Google have deprecated Basic Authentication, so you have to use alternatives like OAuth2 now.

                                    If you want to authenticate to your local AD then you would use the Authentication::LDAP and AD plugin from osticket.com/download

                                        KevinTheJedi
                                        As you can see in this image, i wanted to configure my email but in the authentication i hvae to choose one of the option, so when i chose basic authentication, it says invalid username or password. SO i am not able to configure the email.