OAuth issues v1.17

PSteward

Hello!

I installed the new osTicket (fresh for testing, only the OAuth plug-in):
osTicket Version v1.17 (1d8b790) — Up to date
Web Server Software Apache
MySQL Version 5.7.39
PHP Version 8.0.23

And I am having an issue when I go to authentic the email address after it logs-in, the redirect is to the sign-in page of osTicket and it doesn't seem to complete the entry. I read of people removing lines in an old variation of osTicket but those lines do not exist to change, so I'm not sure what next steps are.

Thanks,

--Phil

KevinTheJedi

PSteward

Either you don't have URL rewrite enabled for Apache or you don't have something configured properly.

Cheers.

PSteward

When I purposely mess up the client_id (so that it produces this error) the redirect back is good:

It's only if the authentication is correct it redirects to the sign-in screen.....

KevinTheJedi

PSteward

Then it sounds like the former part of my previous post:

... you don't have URL rewrite enabled for Apache ...

Cheers.

PSteward

As it's not my server (CPANEL), how can I verify if it's enabled (or enable it)?

KevinTheJedi

PSteward

Contact your server admin or hosting provider for further assistance.

Cheers.

PSteward

I did this test:
https://www.templatemonster.com/help/how-to-check-whether-mod_rewrite-is-enabled-on-server.html

And it caused the base folder to redirect to the php file in question, implying that it is indeed enabled.
This worked -> RewriteRule ^.*$ mod_rewrite.php

KevinTheJedi

PSteward

So your issue is resolved now?

Cheers.

PSteward

Hey Kevin,

No, just confirmed that mod_rewrite is enabled and works but the issue with osTicket remains.

KevinTheJedi

PSteward

Did you make sure your Redirect URL was indeed correct? Also, please look at the requests when redirecting back to see if it's truly going to the api/oauth2 url. You should see something like 403 or 500 or something which would indicate your URL rewriting isn't properly configured or maybe your host is doing something weird when it's redirecting back.

Cheers.

PSteward

I changed http.php last line to:
print Osticket::get_path_info();
And it stopped the redirect. In the URL I see on browser now there is microsoft error:

+is+not+configured+as+a+multi-tenant+application.+Usage+of+the+%2fcommon+endpoint+is+not+supported+for+such+applications+created+after+%2710%2f15%2f2018%27

So I guess there is an issue with the configuration (on the Microsoft side) and it breaks the redirect and doesn't present the error.

B0ydie

PSteward

I got that error when I forgot to add the tennat id to the authrisation and token end point. The default ones are for multi tenant and I had it set as single.

PSteward

B0ydie
Yeah, it appears I need to do this for Multi-tenant too:
Starting November 9th, 2020 end users will no longer be able to grant consent to newly registered multitenant apps without verified publishers. <-- MPN ID
Is there a quick way around, or this is the only way?

B0ydie

PSteward

set it to single mode?

PSteward

B0ydie
Ah, I understand. I put my "tenant id" (from https://portal.azure.com/#view/Microsoft_AAD_IAM/TenantPropertiesBlade) instead of "common" in the URL for Authorization Endpoint and Token Endpoint. It does kick back to osTickey but with a
"invalid_client" error.

KevinTheJedi

PSteward

Please follow the documentation steps as listed. You would see that you need to go to App registrations, click the app, go to the Overview tab, and click Endpoints for the actual endpoints to use (v2 Authorization/Token endpoints).

Cheers.

Whitebread

And I am having an issue when I go to authentic the email address after it logs-in, the redirect is to the sign-in page of osTicket and it doesn't seem to complete the entry.

Hi,
I have the same issue but on Windows Server 2019 and IIS. URL Rewrite is installed and enabled.

I tested it with Single Tenant Endpoints and Multitenant Endpoints (with the correct URLs).

KevinTheJedi

Whitebread

That is not how you setup email authorization. Please follow our documentation step-by-step but instead use Multi-Tenant setup:

https://docs.osticket.com/en/latest/OAuth2/Microsoft%20Authorization%20Guide.html

Cheers.