OAuth2 Plugin Error

dschuett · Sep 16, 2022

I have been trying to get OAuth set up with Microsoft. I ended up deleting the instance, and now I am trying to add it back, but the plugin just hangs at loading. And I am getting the below error. I have even tried removing and reinstalling the plugin, but it still gives the same error now.

PHP Fatal error: Uncaught Error: Call to a member function setConfigClass() on null in phar://C:/inetpub/app.xxx.com/public/support/include/plugins/auth-oauth2.phar/oauth2.php:586 Stack trace: #0 C:\inetpub\app.xxx.com\public\support\include\class.email.php(671): GenericEmailOauth2Provider->getPluginInstance() #1 C:\inetpub\app.xxx.com\public\support\include\ajax.email.php(26): EmailAccount->saveAuth() #2 C:\inetpub\app.xxx.com\public\support\include\class.dispatcher.php(151): EmailAjaxAPI->configureAuth() #3 C:\inetpub\app.xxx.com\public\support\include\class.dispatcher.php(38): UrlMatcher->dispatch() #4 C:\inetpub\app.xxx.com\public\support\include\class.dispatcher.php(120): Dispatcher->resolve() #5 C:\inetpub\app.xxx.com\public\support\include\class.dispatcher.php(38): UrlMatcher->dispatch() #6 C:\inetpub\app.xxx.com\public\support\scp\ajax.php(326): Dispatcher->resolve() #7 {main} thrown in phar://C:/inetpub/app.xxx.com/public/support/include/plugins/auth-oauth2.phar/oauth2.php on line 586

ntozier · Sep 19, 2022

Please help us to help you by reading and following the posting guidelines located in this thread: Please read before requesting assistance. The more information you give us the better we will be able to assist you. Thank you.

Environment details? (see Admin panel -> Dashboard -> Information)
settings?
etc

dschuett · Sep 20, 2022

ntozier

Sorry for not providing enough information. I hope this helps.

osTicket Version: v1.17-rc4
Web Server Software: Microsoft-IIS/10.0
MySQL Version: 10.4.8
PHP Version: 8.0.21

Steps to reproduce my issue:

Install and enable the Oauth2 Client Plugin via: Admin Panel > Manage > Plugins
Configure the plugin via: Emails > <select email address> > Remote Mailbox > Authentication > OAuth2 - Microsoft > Config.
I was having a problem getting the plugin to work without giving the mailbox user Global Admin rights within Azure, so after a bunch of troubleshooting I decided to delete the instance of the plugin by going to: Manage > Plugins > Oauth2 Client > Instances > Delete Instance.

I can now no longer set up the Plugin via step 2 above. It just spins saying "loading...", and the dev console in the browser shows the error provided in my original post. I need to get this resolved by October 1, or I am going to but up a creek. As I mentioned, I have even deleted and re-installed the plugin without any luck. I have no idea where to go from here without doing a completely new installation, which isn't an option, as I would lose all history and settings. My backup is now from too long ago to restore, as too many tickets have already come through on this current install.

ntozier · Sep 23, 2022

Try this:

go to Admin panel -> Settings -> System put the system in Offline mode.
go to *Admin panel -> Emails -> Settings** change the default system emails and alert emails to something else.
go to Admin panel -> Emails -> Emails
make note of the settings and such that you used in this page.
delete the email that you setup OAuth2 with.
go to Admin panel -> Manage -> Plugins
disable the oauth plugin.
delete the plugin
re-download the oauth plugin from osticket.com/download
re-install the plugin.
configure the plugin.
go to Admin panel -> Emails -> Emails
Add a new email.
re-setup the email you deleted earlier
go to *Admin panel -> Emails -> Settings** change the default system emails and alert emails to the newly re-setup email
go to Admin panel -> Settings -> System put the system in Online mode.

these two links should help you setup the OAuth plugin.
https://forum.osticket.com/d/96893-basic-authentication-retirement-for-legacy-protocols-in-exchange-online/138

https://github.com/osTicket/docs/blob/3b6b623c026c15bb267e404a4afd72b19d29f035/OAuth2/Microsoft%20Authorization%20Guide.rst

dschuett · Sep 26, 2022

ntozier

Thank you! This worked. Now I am back to my initial problem of the app needing admin consent, when I have already granted admin consent on the App Registration in Azure. See below:

KevinTheJedi · Sep 26, 2022

dschuett

For that you’ll need to google for some answers or contact Microsoft as that's outside the scope of osTicket.

Cheers.

ramrajone · Sep 27, 2022

dschuett
Your admin needs to add that account to the user list or group
it's under Enterprise applications>All applications>Whatever you named your app

B0ydie · Sep 27, 2022

dschuett
I had the same issue, after about 30 minutes with Microsoft it now seems to work. I had to remove consents then re-add consents in the azure panel then it stopped asking for admin rights.

dschuett · Sep 27, 2022

ramrajone This did not make a difference.

dschuett · Sep 27, 2022

B0ydie I have a case open with Microsoft as I feel that I am having the same issue as you. I did remove/re-add consent first, but it didn't work.

B0ydie · Sep 28, 2022

dschuett

so evidently what worked was basically removing restrictions on azure then putting them back once its logged in. it is s security risk to a point. this is what MS sent me to fix it

Log in to the Azure Active Directory admin center.
Go to Enterprise applications > Consent and permissions > User consent settings.
Under User consent for applications, select Allow user consent for apps

then i put it back to normal after its logged in, once it has its keys it seemed to work

dschuett · Sep 28, 2022

B0ydie This worked. Thank you!

B0ydie · Sep 29, 2022

dschuett

not the best way of doing ti and I have reported it to MS but if it works it works.
Has anyone manged to get SMTP send via ouath working? I added it to my scope etc but when i press save I get an authentication error. I'm also getting issues with cron (not having much luck)

dschuett · Sep 29, 2022

Here is my response from Microsoft. It does look like this is a bug on the osTicket side because offline_access is set to consent in the response from osTicket.

My name is Treyce and I am with the Azure Enterprise App team and I am the senior engineer for Pooja and she has requested I take a look at this case.

While looking at the Fiddler trace we see that the application in its Auth request is prompting for consent this request is from https://app.xxxx.com/support/api/auth/oauth2 even if Azure has admin consent granted if the service that sends the request prompting for consent it will always require consent even if consent is granted. You are going to want to reach out to developers of the application so they can remove that request.

If you go to result 205 in the Fiddler we reach https://app.xxx.com/support/scp/emails.php?id=15&do=autho&bk=oauth2:msmail:7:10 and from we get redirected from this to https://login.microsoftonline.com/1beafdf1-de07-46b2-b25d-c5bbac9a0434/oauth2/v2.0/authorize?tenant=common&accessType=offline_access&prompt=consent&state=fec795f5dd1c9826af210bea61a44349&scope=offline_access%20https%3A%2F%2Foutlook.office.com%2FMail.ReadWrite&response_type=code&redirect_uri=https%3A%2F%2Fapp.xxx.com%2Fsupport%2Fapi%2Fauth%2Foauth2&client_id=3dbecd45-407a-4fc2-a906-21f2a3ae33c8 and in this redirect you can see the application is sending the promp=consent.

bbour53 · Sep 29, 2022

dschuett
This is spot on. In my environment, the application registration is configured with all the relevant rights, admin consent is granted, and our admin consent configuration should not require this application to have admin consent performed as all the permissions have been set to allow for user consent.

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
The prompt field is optional, and as configured within osTicket, is forcing the consent dialog at each sign on attempt. I believe that the prompt=consent item needs to be removed.

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-individual-user-consent
If consent doesn't exist for the user, or admin consent doesn't exist, a user will be prompted for consent after successful auth. This does not require the prompt parameter to be set.

KevinTheJedi · Sep 29, 2022

bbour53

We are not going to remove it but make it optional later in the future. We have the consent prompt to verify and make sure you are authorizing the right email. For now, you can simply remove it if you don't want/need it but we will make it optional later on.

Cheers.

bbour53 · Sep 29, 2022

KevinTheJedi
I am an azure security administrator advising a user on setting up your application and do not have direct access or knowledge of your product. ~~Could you elaborate on what you mean by "you can simply remove it" so that the user can configure your application properly for this use case?~~

EDIT: Found the settings in the oauth2.php file: https://github.com/osTicket/osTicket-plugins/blob/develop/auth-oauth2/oauth2.php

Note that if no administrator has performed admin consent for the application in the environment and users are permitted to perform consent for third party applications, they will still receive the consent prompt and confirmation of the email address without the prompt setting explicitly set. You may be better served using the prompt=login or prompt=select_account flags if that is your goal, not prompt=consent.

CPC · Sep 30, 2022

I'm not sure if i'm going about this correctly but under the concept of removing the line we don't need I have tried following the instructions from https://github.com/osTicket/osTicket-plugins but I'm having some issues.

I have downloaded the repo, successfully hydrated, then modified the oauth2.php to comment out line 640. I then ran the build command and it has given me an auth-oauth2.phar. I have copied this into my includes/plugin folder and successfully activated it in osTicket however when I then go to configure the authentication the popup box containing all the IDP info is just blank.

laneg · Oct 4, 2022

I am experiencing the same issue as CPC

I have ensured the plugin entries in the DB were cleared when I attempted removing the plugin to reinstall it.

TAS · Oct 4, 2022

See this post...
https://forum.osticket.com/d/101637-imap-fetching-microsoft-oauth2

laneg · Oct 4, 2022

For anyone else, TAS solved it.
Delete associated email from system, readd.

lstrom · Oct 12, 2022

bbour53

Good Afternoon,

You mention that you found the settings in the oauth2.php file (I also was able to locate within the file), but would you mind expanding on how you made the change (if you were able to)?

marinbernard-pep06 · Oct 16, 2022

lstrom

Hi,

Juste clone the osticket-plugins repository, edit the file, and use make.php to build an updated phar file.

marinbernard-pep06 · Oct 16, 2022

KevinTheJedi
bbour53

Hi,

I can confirm that setting prompt=login was the only way to make the plugin work with our Azure environment, even with discretionary user consent enabled.

Currently, it seems osTicket is unable to get an oAuth2 token from Azure as long as prompt=consent is used, as in Microsoft's implementation, this option is meant to require explicit/interactive admin approval for any new token issuance (see this link's last point). So unless I'm missing something, the current version of the plugin is unusable with Azure.

Setting prompt=login does fix this issue, while still enforcing user login to avoid using the wrong account. is it possible to push this change upstream in the plugin repository to avoid dealing with manual mods on future updates ?

KevinTheJedi · Oct 16, 2022

marinbernard-pep06

Your statement is untrue. prompt=consent does work and will allow you to get a token. Maybe you have a different setup than most.

Cheers.

lstrom · Oct 17, 2022

marinbernard-pep06
Thanks, I must be missing something because I tried using the make.php to make a new phar file, but kept getting an error about an unsupported make function, despite the function being listed in /help so I kinda gave up trying to remake it.

abeermuh · Oct 25, 2022

I can confirm that setting prompt=login was the only way to make the plugin work with our Azure environment, even with discretionary user consent enabled.

I couldn't find this option, could someone help from where I can make this change to give it a try?

KevinTheJedi · Oct 26, 2022

abeermuh

It's in the plugin. You can unphar the plugin, change the plugin record in the database to remove .phar and change isphar to 0, then make the changes there.

Cheers.

abeermuh · Oct 26, 2022

I am not a programmer so unsure on how this can be done. If you could place some snapshots please?

abeermuh · Oct 26, 2022

after making changes per Prompt = login , I had to reconfigure the Plugin from scratch also deleted the email address and added again, but after providing email address and password it redirects to localhost URL with the below error. Am i missing something?

KevinTheJedi · Oct 26, 2022

abeermuh

You either messed something up or URL rewriting is not enabled on your webserver.

Cheers.

abeermuh · Oct 26, 2022

How and where I need to enable URL rewriting on webserver? I am running apache2 with php8.0

abeermuh · Oct 26, 2022

Furthermore, I unphar the plugin , modified and made it .phar again instead of doing further changes on Database. So trying to work with .phar file after modifying it to "Prompt=login"

KevinTheJedi · Oct 26, 2022

abeermuh

You can google as it depends on your server distribution.

Cheers.

abeermuh · Oct 26, 2022

ok, I will do.

Also, would that work this way??
"Furthermore, I unphar the plugin , modified and made it .phar again instead of doing further changes on Database. So trying to work with .phar file after modifying it to "Prompt=login""

KevinTheJedi · Oct 26, 2022

abeermuh

If you packaged it correctly then yes, it should work. You will need to change the database back to add .phar and change isphar back to 1.

Cheers.

abeermuh · Oct 27, 2022

Hey Kevin, thanks for your help. The issue has been resolved now for us after making the modification (Prompt = Login) in Plugin and enabling the URL rewrite module on server.

Bobbed2447 · Oct 28, 2022

Is there any update on this plugin or plans to change to 'prompt=login' in future? We're also unable to use it as our users can't consent themselves and admin consent is needed. This is a common setup in environments for security. Even when admin consent is granted, it won't work because prompt=consent forces the prompt each time, which is against Microsoft's best practice.

The developer has configured the application to require a consent prompt every time it is used (note: this behavior isn't best practice).

Following Microsoft's recommendations and best practices, many organizations have disabled or limited users' permission to grant consent to apps. If an application forces users to grant consent every time they sign in, most users will be blocked from using these applications even if an administrator grants tenant-wide admin consent. If you encounter an application which is requiring user consent even after admin consent has been granted, check with the app publisher to see if they have a setting or option to stop forcing user consent on every sign in.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-prompt

We've never had to rebuild a plugin before and it seems a bit heavy handed, especially for some of our staff who don't have much php or command line experience. It also means it's another thing to be aware of whenever upgrading osTicket/plugins as any new versions will break existing setups again.

Would it be possible to update the official plugin to use prompt=login as it would still accomplish the goal of confirming the email address?

xomxom · Dec 9, 2022

KevinTheJedi I would like to ask why the basic authentication in Oauth2 is not working?
And also if i want to authenticate it with my active directory, how should i configure the email?

KevinTheJedi · Dec 9, 2022

xomxom

I do not understand your question. Basic Authentication and OAuth2 is completely different and separate.

Cheers.