Hi, so after struggling for hours I managed to get Oauth2 SSO to work with osTicket. However, whenever I try to setup my mailbox it gives me an authentication error when turning IMAP or SMTP on.


Oauth2 Authorization does show me I have a token though.

IMAP and SMTP works when I connect it normally, without Oauth2 (we have an osticket server running without oauth2)

I've read some semi recent posts and found that remaking my mailbox would probably be my best bet, it has to do with mailboxes that existed when Microsoft migrated to Modern Authentication?

I really don't want to remake my mailbox since its tied to other systems as well, is there another solution?

    kwekker

    When it brought you to MS after clicking Submit in the popup, did you login as the email you are trying to configure or a different account? If a different account, please delete the token and get a new one as the email you are trying to configure. I would recommend an Incognito/Private window to ensure MS doesn't auto-log you in as a different account.

    Also, if you configure auth for Remote Mailbox you do not need to re-configure it for SMTP. You can simply set SMTP auth to Same as remote mailbox and it'll use the Remote Mailbox auth.

    Cheers.

        KevinTheJedi

        Hello!

        9/10 times when I remove the email, truncate the session table, open a fresh private browser session and remake the email I dont even get redirected to my organisations Microsoft login page. When it does do that though I only get a login page and not the page where I have to agree with the graph permissions. And yes I log in with the mailbox user on the rare Microsoft login page. Azure AD also acknowledges the successful login.

        I found some powershell commands that hooks my app to the mailbox in Azure and give it full permission, however that made no difference either.

            kwekker

            Then you will need to provide screenshots of your OAuth2 config in osTicket and the app registration in MS. As long as you have the appropriate permissions, app info, etc. you should be good. If all else fails you can contact your mail provider or Global Admin to see why it's not connecting properly.

            Cheers.

              I use UserPrincipalName because EmailAddress is invalid in my situation, UserPrincipalName also has the email address in our AD

              I am one of the global admins, however I'm not really an Azure expert, from my understanding everything has been configured 100% correctly, the senior sysadmin also confirmed that.

              Also everytime I google this situation outside osTicket, I find a lot of people who get the exact same error as me. They use the powershell commands from this Microsoft page to get it to work: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
              (The commands all the way down on the page). However that does not work us either. Am I just completely missing something or should I just contact Microsoft at this point?

              Also whenever I use the pre filled in scope (offline_access https://outlook.office.com/Mail.ReadWrite) when using Oauth2 - Microsoft I get the following error
              array ( 'code' => 'InvalidAuthenticationToken', 'message' => 'Access token validation failure. Invalid audience.', 'innerError' => array ( 'date' =>
              So I use a different scope as seen in the screenshot.

              Also 9/10 times when I change the Email Address Attribute it'll put it back on EmailAddress when I click sent and give me the invalid attribute error.

              Edit:
              I just gave it application permissions instead of delegated permissions in Azure and for the first time ever I got the approval screen, however this made no difference. I used the scope https://graph.microsoft.com/.default for that.

              I have also tried creating a fresh osTicket server + oauth2 plugin and exchange mailbox, it has the exact same results.

                kwekker

                Your Scopes and Email Address Attribute are entirely incorrect. You need to leave those as the defaults.

                Cheers.

                    KevinTheJedi

                    When I use the default config I get the Approval screen, when I approve that request in azure, nothing happens. I never receive a token back.

                        kwekker

                        The Request Approval screen? If so, you need to have the Global Admin consent to the API Permissions as well as provide Admin Consent in Enterprise Applications > click the application > click Permissions > click Grant Admin Consent. Once you do this you need to wait up to 5 minutes, visit your helpdesk in an incognito window, and retry.

                        Important Note:
                        If you are not using v1.17.3 and the latest build of the OAuth2 plugin I'd HIGHLY recommend upgrading and installing the new plugin first. There were a lot of bug fixes with this.

                        Cheers.

                            KevinTheJedi

                            It suddenly works! Maybe Azure didn't sync yet when I tried that original combination.

                              Write a Reply...