OAuth2 Plugin Error: Page 2

OAuth2 Plugin Error

bbour53

KevinTheJedi
I am an azure security administrator advising a user on setting up your application and do not have direct access or knowledge of your product. ~~Could you elaborate on what you mean by "you can simply remove it" so that the user can configure your application properly for this use case?~~

EDIT: Found the settings in the oauth2.php file: https://github.com/osTicket/osTicket-plugins/blob/develop/auth-oauth2/oauth2.php

Note that if no administrator has performed admin consent for the application in the environment and users are permitted to perform consent for third party applications, they will still receive the consent prompt and confirmation of the email address without the prompt setting explicitly set. You may be better served using the prompt=login or prompt=select_account flags if that is your goal, not prompt=consent.

lstrom

bbour53

Good Afternoon,

You mention that you found the settings in the oauth2.php file (I also was able to locate within the file), but would you mind expanding on how you made the change (if you were able to)?

marinbernard-pep06

KevinTheJedi
bbour53

Hi,

I can confirm that setting prompt=login was the only way to make the plugin work with our Azure environment, even with discretionary user consent enabled.

Currently, it seems osTicket is unable to get an oAuth2 token from Azure as long as prompt=consent is used, as in Microsoft's implementation, this option is meant to require explicit/interactive admin approval for any new token issuance (see this link's last point). So unless I'm missing something, the current version of the plugin is unusable with Azure.

Setting prompt=login does fix this issue, while still enforcing user login to avoid using the wrong account. is it possible to push this change upstream in the plugin repository to avoid dealing with manual mods on future updates ?

CPC

I'm not sure if i'm going about this correctly but under the concept of removing the line we don't need I have tried following the instructions from https://github.com/osTicket/osTicket-plugins but I'm having some issues.

I have downloaded the repo, successfully hydrated, then modified the oauth2.php to comment out line 640. I then ran the build command and it has given me an auth-oauth2.phar. I have copied this into my includes/plugin folder and successfully activated it in osTicket however when I then go to configure the authentication the popup box containing all the IDP info is just blank.

laneg

I am experiencing the same issue as CPC

I have ensured the plugin entries in the DB were cleared when I attempted removing the plugin to reinstall it.

TAS

See this post...
https://forum.osticket.com/d/101637-imap-fetching-microsoft-oauth2

laneg

For anyone else, TAS solved it.
Delete associated email from system, readd.

marinbernard-pep06

lstrom

Hi,

Juste clone the osticket-plugins repository, edit the file, and use make.php to build an updated phar file.

lstrom

marinbernard-pep06
Thanks, I must be missing something because I tried using the make.php to make a new phar file, but kept getting an error about an unsupported make function, despite the function being listed in /help so I kinda gave up trying to remake it.

KevinTheJedi

marinbernard-pep06

Your statement is untrue. prompt=consent does work and will allow you to get a token. Maybe you have a different setup than most.

Cheers.

abeermuh

I can confirm that setting prompt=login was the only way to make the plugin work with our Azure environment, even with discretionary user consent enabled.

I couldn't find this option, could someone help from where I can make this change to give it a try?

KevinTheJedi

abeermuh

It's in the plugin. You can unphar the plugin, change the plugin record in the database to remove .phar and change isphar to 0, then make the changes there.

Cheers.

abeermuh

I am not a programmer so unsure on how this can be done. If you could place some snapshots please?

abeermuh

after making changes per Prompt = login , I had to reconfigure the Plugin from scratch also deleted the email address and added again, but after providing email address and password it redirects to localhost URL with the below error. Am i missing something?

KevinTheJedi

abeermuh

You either messed something up or URL rewriting is not enabled on your webserver.

Cheers.

abeermuh

How and where I need to enable URL rewriting on webserver? I am running apache2 with php8.0

abeermuh

Furthermore, I unphar the plugin , modified and made it .phar again instead of doing further changes on Database. So trying to work with .phar file after modifying it to "Prompt=login"

KevinTheJedi

abeermuh

You can google as it depends on your server distribution.

Cheers.

abeermuh

ok, I will do.

Also, would that work this way??
"Furthermore, I unphar the plugin , modified and made it .phar again instead of doing further changes on Database. So trying to work with .phar file after modifying it to "Prompt=login""

KevinTheJedi

abeermuh

If you packaged it correctly then yes, it should work. You will need to change the database back to add .phar and change isphar back to 1.

Cheers.

« Previous Page Next Page »