OAuth SCP login redirecting to Client page

FIASJason

I've upgraded from 1.15 to 1.17 to resolve the Modern Authentication issue, and I'm trying to set up Oauth for staff and client logins.

I've followed the instructions in the Microsoft SSO guide to set up SSO for a single tenant and verified that the login is correct. However, after the SSO authentication is completed, instead of returning to the Agent control panel, I'm redirected to the default client instance.

My App registration in Azure has a redirect URI of https://helpdesk.domain/api/auth/oauth2.

My Oauth instance matches the Azure settings as per the guide referenced above.

I've checked the user attribute mapping fields in Graph Explorer and verified that the attributes and values match the values in the ost_staff table.

After attempting to log in using SSO, the browser appears to load for a few minutes, then redirects to the client home page.

URL redirection is enabled and appears to be working.

I can see the following in the IIS logs:
2022-10-31 05:26:31 172.20.3.20 GET /scp/ - 443 - 172.17.3.159 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/107.0.0.0+Safari/537.36 - 302 0 0 1210
2022-10-31 05:26:32 172.20.3.20 GET /scp/login.php - 443 - 172.17.3.159 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/107.0.0.0+Safari/537.36 - 422 0 0 1247
2022-10-31 05:26:37 172.20.3.20 GET /scp/login.php do=ext&bk=oauth2.agent.p5i6 443 - 172.17.3.159 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/107.0.0.0+Safari/537.36 https://helpdesk.domain/scp/login.php 302 0 0 1186
2022-10-31 05:29:02 172.20.3.20 GET /api/auth/oauth2 code=0.AWcAE_ldsYXn6ka9uETZYbW0kZe-kMJgHqdHoy_GKN8azIZBAAE.[truncated]&state=47c573507ef2ea61c30690*******&session_state=34756337---*-c65fc1fd8efc 443 - 172.17.3.159 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/107.0.0.0+Safari/537.36 https://helpdesk.domain/ 302 0 0 145216
2022-10-31 05:29:04 172.20.3.20 GET / - 443 - 172.17.3.159 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/107.0.0.0+Safari/537.36 https://helpdesk.domain/ 200 0 0 1250

It seems that the SSO is working and returning a token. osTicket is then redirecting to the root instead of /scp.

I have spent the entire day browsing through the forums looking for related topics. I've found a few related discussions, but none seem to have a solution.

Any assistance is appreciated.

KevinTheJedi

FIASJason

Your Client ID does not look right at all.

Cheers.

FIASJason

I obfuscated part of the Client ID for privacy reasons. It does match the client ID in Azure App Registrations:

KevinTheJedi

FIASJason

Did you include or remove the dashes though? You’re supposed to remove them when pasting in osTicket.

Cheers.

FIASJason

KevinTheJedi
I was following the guide, which simply said to paste the Client ID

I've removed the hyphens from the Client ID as suggested, and I'm getting the same results.

KevinTheJedi

FIASJason

After clicking the copy icon, you don’t need to manually copy that. I thought that was pretty obvious plus the screenshots show no dashes.

Then something isn’t right then. Please follow the documentation exactly. Also, check your webserver logs to see if the URL is being blocked or if URL Rewriting is enabled.

Cheers.

FIASJason

KevinTheJedi

I'm not sure I understand you. The screenshot I posted is from your documentation on setting up SSO using Oauth, and clearly shows the dashes in the client ID field.

I have followed the documentation exactly. I will remove the Oauth instance and try again, just to be certain.
Also, I posted the webserver log in my first post showing that the server was redirecting a request for https://helpdesk.domain/scp/login.php to https://helpdesk.domain/

Also, when I attempted to go to https://helpdesk.domain/api/auth/oauth2 I am redirected to https://helpdesk.domain/api

2022-11-01 23:51:53 172.20.3.20 GET /api/auth/oauth2 - 443 - 172.17.3.159 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/107.0.0.0+Safari/537.36 - 302 0 0 1258
2022-11-01 23:51:54 172.20.3.20 GET / - 443 - 172.17.3.159 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/107.0.0.0+Safari/537.36 - 200 0 0 1295

I appreciate your assistance.

KevinTheJedi

FIASJason

Maybe it is, it was very early in the morning and I’m going off memory; my apologies.

You can try that as well. Can you try an incognito/private window and see? Maybe it’s holding on to an old session or something.

Cheers.

FIASJason

KevinTheJedi
I removed the SSO instance and the App registration, then rec-created everything following the guide. I'm still being redirected to the client login after attempting to log in with SSO.

I also tried an incognito window - same results.

I noticed these entries in my php80-errors.log - are they of any concern?
PHP Warning: PHP Startup: Unable to load dynamic library 'php_gd2.dll'
PHP Warning: PHP Startup: Unable to load dynamic library 'php_xmlrpc.dll'

KevinTheJedi

FIASJason

No those are irrelevant. I would check your other logs (general server logs, webserver error logs, PHP error logs, MySQL/MariaDB error logs, osTicket System Logs, Browser Console logs, etc.). Also don’t try to login with local creds first, just open a new incognito/private window and only test SSO.

Cheers.

FIASJason

KevinTheJedi

I've tested in an incognito window, SSO login only.

Chrome shows that the redirect is working OK, but it seems to have taken an incredibly long time (assuming I'm reading this right).

No errors in the MySQL log.
No errors in the osTicket System log
No errors in the browser console
No errors in the IIS logs

KevinTheJedi

FIASJason

That is definitely weird. Have you double checked your settings to ensure you have the correct Secret, Client ID, etc.? Can you explicitly set the Agent's backend to SSO and retest? Have you tried changing to PHP 8.1?

Cheers.

FIASJason

KevinTheJedi

I've updated to PHP 8.1.12

And set my agent login to SSO only

And I've just noticed that my username is not my email address (which is what I'd be using for SSO). I'll create a new agent and set their username to their email address and try again.

I really hope it wasn't something that simple...

[Edit] It looks like I can't use the @ symbol in the username field.

FIASJason

Client ID/Secrets etc match:

Whitebread

Hello,
just asking if you have an update @FIASJason on this issue? I have the same issue and don't understand what I'm doing wrong.

FIASJason

Whitebread
Sorry, no update at this stage. SSO is not working.

JuVDC

Same thing here, getting redirected to the main homepage without being logged in... 🙁

KevinTheJedi

JuVDC

Have you upgraded to v1.17.2 and installed the new OAuth2 Plugin?

Cheers.

JuVDC

KevinTheJedi
Hey Kev, I am on 1.17.1. Will try with 1.17.2. You think this will solve it?

DidierCaamano

I wonder if you found a solution, I have a similar issue

KevinTheJedi

JuVDC

I'm unable to replicate this so I'm almost sure it will.

Cheers.

FIASJason

JuVDC Please provide an update once you've updated. I would be very interested in the results.