rblake

Let me go back and ask in your current setup did you authorize as a different account than the email? If so we’ve seen a bug where it’s using the Authorizer's account to attempt to connect to IMAP/POP3 and SMTP. We are working on a patch to address this and I’ll let you know once that’s available.

To test this try adding the email as an Application Admin (meaning they are admin only for this app) and consent/authorize as the email itself. If that works then your issue is definitely what I mentioned above.

Cheers.

    @KevinTheJedi Just as a FYI, with the other tool I use, you don't need Application Administrator access to get OAUTH2 to work, you can just log in as that user without any admin rights and it will work.

      rblake

      Not sure how as you have to consent to the permissions and I believe you have to be an admin to consent. Is the other registered app a published app or something?

      Cheers.

        rblake

        To give you an update, I was able to replicate the error. We have since addressed the Resource Owner part so that it doesn’t use the authorizer’s account for the auth request instead it uses the real email/alias but we are still getting the same error. We are going to debug deeper on Monday to see what else we are missing. It has to be something small like an option or something.

        Cheers.

        KevinTheJedi No, I manually created the app. I also went through the Azure side and did Admin Consent so the account doesn't have to. However, they do require you to log in with the e-mail account used to request a token. Maybe your code is requiring consent whereas if you set it up on the front end in the Azure side and do Admin Consent, it should just work.

          rblake

          We removed the prompt=consent option in the latest build of the OAuth2 plugin so it should now be up to MS to determine wether to force consent or not.

          Cheers.

          I deleted the old OAuth2 plugin and installed the new one, and I still couldn't get around the "cannot select INBOX, is this a valid transport?". I made the mailbox holder Global Admin and it successfully updated the email. By being global admin I could provide consent directly as the mailbox without having to approve as another Admin user, which may be the key to having it work.

          However, once I removed the global admin rights from the account, email retreival failed.

          Added Application Admin role to the mailbox owner and it worked again.

            OK. I re-did the config for the OAuth2 with the mailbox as an application administrator, then removed the role from the user. Mail has fetched properly for the last 2 days, even without the role assigned,

            5 days later

            rblake

            I finally figured it out. So, if you cannot login as the email/shared mailbox itself or do not allow user consent and are required to use Global Admin then:

            1. Make sure you are running the latest build of the auth-oauth2 plugin and make sure you apply these changes manually - https://github.com/osTicket/osTicket-plugins/pull/254
            2. Login to Exchange Admin Center
            3. Click the Mailboxes tab
            4. Click the email you are trying to configure in osTicket
            5. Click Delegation tab
            6. Click Edit under Read and Manage (Full Access)
            7. Add the Global Admin account
            8. Save Changes and wait up to 5 minutes

            Once you do this you can go back to osTicket, click Submit in the OAuth2 popup, authorize as the Global Admin, and voila the token will work for the email you are attempting to configure. I was researching endless guides online and they all showed that you have to login as the email itself to authorize. Furthermore they all seem to be under the same consensus that OAuth2 will not work for shared mailboxes but I have found that this is in-fact false. If your Global Admin has Delegate access to the email/shared mailbox it can get a token and act as the email/shared mailbox with no issues. I tested this on my dev O365 with both regular user and shared mailbox and in both instances the above instructions worked without a hitch.

            I think the other applications you are using are using a different auth-flow and potentially using the API to fetch/send mail whereas we have to stick to using IMAP/POP3 and SMTP protocols to fetch/send mail. We might add API support in v2.0 but that's a whole separate conversation we have to have internally.

            Cheers.

              15 days later

              Hello,

              osTIcket informations :
              version d'osTicket v1.17.2 (8fbc7ee)
              Logiciel serveur Web Apache
              Version de MySQL 5.7.30
              Version PHP 8.0.25
              It hosted into a public host, I update from 1.15 last week to this version.
              We have Microsoft 365 Business Basic licence

              I have the same issue as you, but I don't find solution :

              Five days ago, I create the App and follow the guide and it worked, it fetches the emails but it doesn't move into the folder archived (I see it later). And 3 days later, osTicket doesn't fetch the emails, so I remove the plugin & reinstall, and from this moment I have the error "cannot select INBOX, is this a valid transport?".
              ==> The token seems valid.

              We used the auto-fetch, I try with rcron ==> same issue (it works with basic authentification)
              I try pop 995, imap 993 ==> same issue
              I try to set up a new email with the global admin ==> same issue
              I try to delete emails, delete plugins... ==> same issue
              I add a new application form azure with openid ==> same issue

              Rickymundo

              Ok, thanks for the info. You seem have exactly the same issue , I have contacted Microsoft and I wait a response...

                I got the same issue earlier today. Last time it worked on Dec 27 too.
                Thank you all for the your recommendations.
                Didn't realize IMAP check box of the account on M365 admin center was turned off by accident.
                Just turned it back on. All good now.
                ()

                Thanks!

                5 days later

                Everyone,

                In addition to the comment I posted here:

                I found out through tests today that this only works for IMAP/POP3 in some cases. If it's failing to authenticate through SMTP then try adding the Global Admin to the Send As delegation for the email in question (in the same Delegation tab in the Exchange Admin Center) and redo the steps listed above.

                Cheers.

                a year later

                KevinTheJedi Excuse me, I have this issue too. I'm using osTicket several years already, and it suddenly stopped getting mails yesterday - ticket expired. That happened before, but now, for first time, it wants approval from admin which was not the case until now. If i use my admin account, the plugin gives me that account mismatch error. The fact is that I'm Global Admin and I have delegated myself Edit access to my helpdesk account long time ago for other purposes. The only think I didn't do is the change in step 1. I'm not a programmer, however, and I don't know how to use GitHub and what to do with that pull request. Can somebody tell me how can I patch my OAuth plugin so our help desk can read and send mails again?