I deleted the old OAuth2 plugin and installed the new one, and I still couldn't get around the "cannot select INBOX, is this a valid transport?". I made the mailbox holder Global Admin and it successfully updated the email. By being global admin I could provide consent directly as the mailbox without having to approve as another Admin user, which may be the key to having it work.
osTicket O365 E-mail Retrieval & Sending Stopped Working
However, once I removed the global admin rights from the account, email retreival failed.
Added Application Admin role to the mailbox owner and it worked again.
OK. I re-did the config for the OAuth2 with the mailbox as an application administrator, then removed the role from the user. Mail has fetched properly for the last 2 days, even without the role assigned,
- Edited
I finally figured it out. So, if you cannot login as the email/shared mailbox itself or do not allow user consent and are required to use Global Admin then:
- Make sure you are running the latest build of the auth-oauth2 plugin and make sure you apply these changes manually - https://github.com/osTicket/osTicket-plugins/pull/254
- Login to Exchange Admin Center
- Click the Mailboxes tab
- Click the email you are trying to configure in osTicket
- Click Delegation tab
- Click Edit under Read and Manage (Full Access)
- Add the Global Admin account
- Save Changes and wait up to 5 minutes
Once you do this you can go back to osTicket, click Submit in the OAuth2 popup, authorize as the Global Admin, and voila the token will work for the email you are attempting to configure. I was researching endless guides online and they all showed that you have to login as the email itself to authorize. Furthermore they all seem to be under the same consensus that OAuth2 will not work for shared mailboxes but I have found that this is in-fact false. If your Global Admin has Delegate access to the email/shared mailbox it can get a token and act as the email/shared mailbox with no issues. I tested this on my dev O365 with both regular user and shared mailbox and in both instances the above instructions worked without a hitch.
I think the other applications you are using are using a different auth-flow and potentially using the API to fetch/send mail whereas we have to stick to using IMAP/POP3 and SMTP protocols to fetch/send mail. We might add API support in v2.0 but that's a whole separate conversation we have to have internally.
Cheers.
Hello,
osTIcket informations :
version d'osTicket v1.17.2 (8fbc7ee)
Logiciel serveur Web Apache
Version de MySQL 5.7.30
Version PHP 8.0.25
It hosted into a public host, I update from 1.15 last week to this version.
We have Microsoft 365 Business Basic licence
I have the same issue as you, but I don't find solution :
Five days ago, I create the App and follow the guide and it worked, it fetches the emails but it doesn't move into the folder archived (I see it later). And 3 days later, osTicket doesn't fetch the emails, so I remove the plugin & reinstall, and from this moment I have the error "cannot select INBOX, is this a valid transport?".
==> The token seems valid.
We used the auto-fetch, I try with rcron ==> same issue (it works with basic authentification)
I try pop 995, imap 993 ==> same issue
I try to set up a new email with the global admin ==> same issue
I try to delete emails, delete plugins... ==> same issue
I add a new application form azure with openid ==> same issue
Ok, thanks for the info. You seem have exactly the same issue , I have contacted Microsoft and I wait a response...
I think I've found the solution, see my previous link.
I got the same issue earlier today. Last time it worked on Dec 27 too.
Thank you all for the your recommendations.
Didn't realize IMAP check box of the account on M365 admin center was turned off by accident.
Just turned it back on. All good now.
()
Thanks!
Everyone,
In addition to the comment I posted here:
I found out through tests today that this only works for IMAP/POP3 in some cases. If it's failing to authenticate through SMTP then try adding the Global Admin to the Send As delegation for the email in question (in the same Delegation tab in the Exchange Admin Center) and redo the steps listed above.
Cheers.
- Edited
KevinTheJedi Excuse me, I have this issue too. I'm using osTicket several years already, and it suddenly stopped getting mails yesterday - ticket expired. That happened before, but now, for first time, it wants approval from admin which was not the case until now. If i use my admin account, the plugin gives me that account mismatch error. The fact is that I'm Global Admin and I have delegated myself Edit access to my helpdesk account long time ago for other purposes. The only think I didn't do is the change in step 1. I'm not a programmer, however, and I don't know how to use GitHub and what to do with that pull request. Can somebody tell me how can I patch my OAuth plugin so our help desk can read and send mails again?
This thread is a year old. We have since improved the OAuth2 plugin and core codebase. You do not need to apply any patches, etc. All you need to do is ensure your osTicket codebase is up to date with either v1.17.5 or v1.18.1, install the latest build of the OAuth2 plugin, and restart your web server and PHP-FPM if you’re running it.
After you have done the above you will either need to provide admin consent on behalf of the organization for the application under Enterprise Applications within the EntraID portal (previously known as Azure AD) so the email account you are attempting to Auth as can approve itself -or- you can sign in as an admin, click the box to create consent on behalf of the organization, approve it, get the mismatch error, then submit the OAuth2 authentication popup in osTicket again, sign in as the email account you are needing the token for, approve, and you should be good from there.
Cheers.
Oh, and if the email account you need the token for is a shared mailbox, resource email, or whatever you would need to add a service account, admin account, or user account that you can login as to the Send As and Read and Manage permissions for the shared mailbox in the exchange admin center. Then if you have the latest plugin there is a button in the OAuth2 config popup to disable Strict Matching so you can authorize using a different account.
Cheers.