Hey Kevin, thanks for your help. The issue has been resolved now for us after making the modification (Prompt = Login) in Plugin and enabling the URL rewrite module on server.

Is there any update on this plugin or plans to change to 'prompt=login' in future? We're also unable to use it as our users can't consent themselves and admin consent is needed. This is a common setup in environments for security. Even when admin consent is granted, it won't work because prompt=consent forces the prompt each time, which is against Microsoft's best practice.

The developer has configured the application to require a consent prompt every time it is used (note: this behavior isn't best practice).

Following Microsoft's recommendations and best practices, many organizations have disabled or limited users' permission to grant consent to apps. If an application forces users to grant consent every time they sign in, most users will be blocked from using these applications even if an administrator grants tenant-wide admin consent. If you encounter an application which is requiring user consent even after admin consent has been granted, check with the app publisher to see if they have a setting or option to stop forcing user consent on every sign in.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-prompt

We've never had to rebuild a plugin before and it seems a bit heavy handed, especially for some of our staff who don't have much php or command line experience. It also means it's another thing to be aware of whenever upgrading osTicket/plugins as any new versions will break existing setups again.

Would it be possible to update the official plugin to use prompt=login as it would still accomplish the goal of confirming the email address?

    a month later

    KevinTheJedi I would like to ask why the basic authentication in Oauth2 is not working?
    And also if i want to authenticate it with my active directory, how should i configure the email?

        xomxom

        I do not understand your question. Basic Authentication and OAuth2 is completely different and separate.

        Cheers.

            xomxom I would like to ask why the basic authentication in Oauth2 is not working?

            Basic Authentication and OAuth2 have nothing to do with each other?
            You cannot use Basic Auth in OAuth2.
            Basic Authentication is one way to authenticate.
            OAuth2 is another way to authenticate.
            Companies like Microsoft and Google have deprecated Basic Authentication, so you have to use alternatives like OAuth2 now.

            If you want to authenticate to your local AD then you would use the Authentication::LDAP and AD plugin from osticket.com/download

                KevinTheJedi
                As you can see in this image, i wanted to configure my email but in the authentication i hvae to choose one of the option, so when i chose basic authentication, it says invalid username or password. SO i am not able to configure the email.

                  xomxom

                  You can't use basic auth with Gmail nor O365 anymore. With Gmail you can either:

                  1. Enable 2FA, configure an App Password, and use the email and app password to authenticate.
                  2. Configure OAuth2.

                  Cheers.

                    2 months later

                    Bobbed2447 Is there any update on this plugin or plans to change to 'prompt=login' in future?

                    Does anyone know if there are any plans to change the 'prompt=consent' to 'prompt=login' in future for this plugin to allow secure environments to run this without making modifications to the plugin itself?

                        KevinTheJedi

                        Oh wow that's amazing! I did check the plugin Github page before I posted but thought it didn't show any new changes. That's awesome, thanks! Will update and try it out.

                            Bobbed2447

                            My bad, we did merge it but I forgot it’s not released yet. I’ve been running the un-phar build with the changes applied. My fault.

                            Just to provide context, we completely removed the prompt tag (as recommended in their docs/examples) so it’s now up to MS to determine what to show.

                            Update:
                            Wait, I see it was merged on Nov 3rd which should’ve been included in the latest release. It’s early af rn so I’m blanking. I’ll double check in a bit.

                            Update 2:
                            Yea not released yet. But will be very soon. Sorry for the confusion.

                            Cheers.

                              4 days later

                              I too am hoping that this gets released soon. With MS killing basic auth this has crippled our help desk. Thanks for all you do.

                              Write a Reply...