OAuth2 to Microsoft 365 only works once

npadmin

Hello all.
(Before I start, if there is any information missing from this post that might be helpful, please let me know.)

I've recently implemented the Oauth2 client plugin on my osTicket v1.18.1 installation, but it isn't working correctly.

I have the plugin setup correctly, an associated app in my 365 tenant, and a valid token in the plugin settings.
The plugin is enabled for both Agents and Users, but it only works correctly for Agents.

What's happening?

When a user tries to log in using the Oauth2 Client plugin for the first time, they're successfully logged in - they can access the user pages and log tickets. In the background, I can see entries for the user are created in the relevant database tables (ost_user, ost_user_account, ost_user_email, etc.)

When the user logs out of osTicket, they cannot log in with the OAuth2 Client again. Authentication takes place - I can see successful entries in the Microsoft Entra sign in logs - but users are returned to the client home page and are not logged in.

I've looked for error logs for my installation, but cannot find any recorded for these login attempts: docker logs output is minimal, Apache access logs tell me nothing, and the Apache error log doesn't record anything during these logins.

As mentioned above, Agents can access the scp/ pages after logging in with the Oauth2 Client plugin without issue.
Does anyone have any pointers on where I should be looking to resolve this?

System info (all running in a single docker-compose stack on Ubuntu Server 20.04.6):

osTicket Version: v1.18.1 (0375576)
Web Server Software: Apache/2.4.57 (Debian)
MySQL Version: 10.6.1 (mariadb container)
PHP Version: ~~8.3.2~~ 8.2.16

Active plugins

Oauth2 Client, version: 0.6
Attachments on the filesystem, version 0.3
Help Desk Audit, version 0.1

Inactive plugins

HTTP Passthru Authentication, version 0.2
LDAP Authentication and Lookup, version 0.6.2
Two Factor Authenticator, version 0.3

UPDATE, 2024-02-21 20:00 Europe/London
PHP downgraded to supported version 8.2.16, per @KevinTheJedi 's recommendation.

KevinTheJedi

npadmin

If the Users then try from an incognito window (or completely new browser) does it work? Any errors in your PHP/webserver error logs? What do the backend values look like for the affected Users in the _user_account table?

Cheers.

KevinTheJedi

npadmin

Also, I just noticed you are using PHP 8.3 which is not supported yet. The prerequisites/requirements all say v1.18.1 only supports PHP 8.1-8.2. So I'd also recommend downgrading PHP to 8.2 and retest everything as this can play a factor in things.

PHP 8.3 did introduce some breaking changes with older functions, etc. so you may be experiencing a non-compatible PHP version issue.

Cheers.

npadmin

KevinTheJedi
Hi KevinTheJedi - thanks for your quick response.
I've downgraded to PHP 8.2.16, but there's no change, even when testing in a private browser window.
There's no change in the (lack of) log output, even with osTicket's log level set to debug.
The backend value I'm seeing in _user_account entries is: oauth2.user.p10i8.

KevinTheJedi

npadmin

Is that the correct Plugin ID (10) and Instance ID (8)? You can compare the IDs to the ones in the _staff table backend values to confirm.

Are the Users showing as Active (Registered) in the Agent Panel > Users > User Directory?

Cheers.

npadmin

Hi Kevin.

I can't confirm the values from the _staff table - the entry for my working account has no value for backend (although it is not null). Looking at the _plugin and _plugin_instance tables I can see those IDs match, though.

Yes, users show as 'Active (Registered)' in the user directory.

KevinTheJedi

npadmin

the entry for my working account has no value for backend (although it is not null).

I’m confused by this statement. It has not value but not null? Is it just empty (blank)?

Can you test with your own account?

Cheers.

npadmin

KevinTheJedi
Yes. In the _staff table, the value for backend is blank.

In the _users table, it is oauth2.user.p10i8

I can log in as both a User and an Agent using the OAuth2 client's "Sign in with" button.

KevinTheJedi

npadmin

What does your OAuth2 SSO Plugin Config look like (including the attributes)?

Cheers.

npadmin

Here are the current settings. As far as I can see, they're correct.

KevinTheJedi

npadmin

That all looks correct to me. Can you replicate this issue? If so, once you are able to replicate it open an Incognito/Private window (or even better a completely different browser) and see if it lets you login again. If so then it sounds like session issues. For clarity I'm unable to replicate this issue so I'm just throwing things out there that I can think of.

Cheers.

KevinTheJedi

npadmin

Also, do you have a non-docker server to test with? We don't have an official osTicket docker container so all the ones you see out there are not recommended.

Cheers.

npadmin

Hi Kevin. Thanks for your continued support 🙂

I'll have a look at rebuilding outside docker to see if it behaves the same.

To note, I've built my own docker image (pastebin[dot]com/92Vu47nV) - based on php-apache (hub[dot]docker[dot]com/_/php/tags?page=1&name=8.2.16-apache). I added the various dependencies much as you would for a manual build, then I connected my www/root as a bind mount.

Anyway, I'll let you know how I get on.
Thanks for your help!