Oauth2 does nothing - can't save configuration

DasBjoern

Hello everyone,
I'm having a strange Problem.
We tried using Oauth2 to fetch mails from an O365 mailbox and stuck close to the instructions.

When we try to save the configuration for the authentication via IMAP it just... does not save and just gives me some loading circle thingy... I can leave it there for an hours or more and nothing will happen.
Any ideas? :-(

osTicket Version v1.17.2 (8fbc7ee) — Up to date
Web Server Software Apache/2.4.52 (Ubuntu)
MySQL Version 8.0.31
PHP Version 8.1.11
Oauth2 Client 0.6

I hope anyone has an Idea what's wrong.
Thanks
Björn

KevinTheJedi

DasBjoern

Delete the email and re-add and reconfigure it in the helpdesk.

Cheers.

DasBjoern

Hi Kevin!
Thanks. This solved this step of my problem but now I ran into another hurdle.

I can save the configuration now and I get the login prompt and the prompt to confirm the whole thing. But then it tries to forward me to a page that seemingly does not exist and I get a 404 error. I get forwarded to the url of the server followed by /api/auth/oauth2?code= and a bunch of characters. So essentially the Redircet URl specified but it does not work. Do I have to do anything special here?

One more thing that I suspect of being a problem:
The server itself is running http only but we are doing SSL offloading via our WAF. So we use https://helpdesk.ourpublicdomain.de which points to our WAF. The WAF then contacts the server on its local IP via http.
In the config for the apache we use the internal FQDN of the server as ServerName and the local IP as ServerAlias. The whole thing was set up a long time ago and maybe isn't done in the most sensible way. Could any of that be the culprit here?

Thanks!

DasBjoern

Nevermind.... it was the URl rewrite that was missing. With that enabled, it forwarded me to the local IP of the system where there was no site, but no mails seem to work fine 😃

bawalker

I have ran into this very same issue where I just upgraded osTicket to 1.17.2 (see relevant system info below) after Microsoft disabled basic authentication on our tenant over the weekend.

However when I go Admin Panel > Emails > Default helpdesk Email > Remote Mailbox I updated to OAuth2 - Microsoft by following the tutorial on this site very strictly. When I went to validate re-authorize the email in the config button, it would reach out to Microsoft, allow me to log in successfully and using URL rewriting was sending me back to the osTicket client side ticket creation page.

I would then log back in as admin, go to the same remote mailbox tab only to see the email status fetching was disabled. No matter what I did it would never save it as enabled. So I decided to delete that email account entirely and re-add it from scratch.

When I did that, I can enter in all of the remote mailbox settings and outgoing smtp settings. Of course I can't use the "save changes" button because I haven't re-authorized with MS yet. So I re-authorize successfully, log back in and now all of those mailbox settings are blank and nothing was saved.

What am I missing here??

Is URL redirecting not working in that it should send me back to the admin area to finish the save? If so, how do I make that change?

Here is current system information:

Here is what I get when trying to save the changes I made, says unable to do so.

KevinTheJedi

bawalker

The flow is type the host information (host, port, etc.), leave status as Disable, configure the Authentication (submit the popup, consent, and get redirected back to the email page with a success banner), set Status to Enable, and Save Changes at the bottom of the page.

Also, make sure you have these changes applied:

Cheers.

bawalker

Thanks for the quick reply. I assume those two GitHub changes aren't built in to the latest 1.17.2 that we are running? If not, I'll get those applied.

Thanks for the heads up on the flow of everything. I think the issue is that when the popup/consent from MS is completed, instead of taking me back to the email page, it's taking me only to http://<servername>/osTicket instead.

I'll apply those two fixes and try again.

bawalker

Quick update. I applied the changes and noticed that instead of being brought back to the http://server/osticket customer page, instead it took me back to the osticket/scp page asking me to log in. So I went through the process to re-authorize again and this time it did indeed take me back to the email page after successfully submitting the re-authentication.

However, it does not show the green "Success Banner". It does show the host, port, protocol, etc as being filled in correctly. But when I navigate away from that page and back to it, none of the settings were obviously saved.

Any further suggestions?

KevinTheJedi

bawalker

It shouldn’t be asking you to login again. Try these changes as well:

Cheers.

bawalker

Both of those changes were applied before I shared my last response post.

KevinTheJedi

bawalker

Can you share screenshots of your App Registration (with Redirect URIs), osTicket email OAuth2 config, and the URL you are using when submitting the popup. Please censor any sensitive info.

Also, when it brings you to MS to authenticate, are you logging in as the email itself?

Cheers.

KevinTheJedi

bawalker

User in another thread having the same issue and this resolved their issue:

https://forum.osticket.com/d/101915-oauth-scp-login-redirecting-to-client-page/47

Cheers.

bawalker

@KevinTheJedi Here's the info you requested as I go through the flow of adding the account. Let me know if this isn't what you were looking for and I can gladly upload the correct info. As you can see below, going through those steps takes me back to the OSTicket scp/agent login screen.

KevinTheJedi

bawalker

Okay yea that doesn't make much sense to me. Is helpdesk@ the email you are trying to configure in osTicket? If so, try clearing your cache/cookies/sessions, setting your Agent Session Timeout in the system to 0 and retest. It seems like it's dropping your authenticated session somehow which is baffling to me if you are running v1.17.2 and the patches I linked above.

Cheers.

bawalker

KevinTheJedi Yes the helpdesk@ address is the one that we are logging into MS with, the one that will be checking for incoming emails, etc.

I'll give that a shot.

bawalker

I just tried again after disabling Agent Session Timeout (set to 0) and cleared out all cache for all time in Edge and Chrome.

I logged into the agent panel, setup the mail server info, went to reauthorize. Followed the Microsoft prompts exactly, and it dumps me back out on the agent login screen.

So I decide to log back in once again and repeat the same steps of re-authorization. Just to see if anything changes.
This time, it takes me right back to the correct email window inside the agent panel, but no green banner at the top indicating success. The below screenshot is AFTER I completed the re-authorization process and after it dumps me back in the correct area of the agent panel.

KevinTheJedi

bawalker

Okay, so, click Config and see if you have a new tab called Token.

Ceers.

bawalker

Only Info and IdP Config tabs show up when clicking on the config button. Here's the screenshot.

KevinTheJedi

bawalker

Okay, then something went wrong. Did you follow the documentation exactly as it is?

https://docs.osticket.com/en/latest/OAuth2/Microsoft%20Authorization%20Guide.html

Cheers.

bawalker

Yup, the only thing I didn't follow was when in Azure the instructions state to use http://localhost:8089/osticket.... for the URL redirect. Our firewall is currently blocking 8089 at the moment, but I left it with localhost. I even also used the servers actual NETBIOS name in there http://supportmaster/osticket....

I can definitely blow everything out and start all over, especially if 8089 is a requirement?