MS OAuth2 Error: The API version 'V2' has been depreciated.
- Edited
njohnson We did have that issue in the past as well. It has not been a problem for us in the last year or so, I believe.
KevinTheJedi Thank you for the answer. It would be very helpful in future.
- Edited
KevinTheJedi This worked for me.
This authenticated for me, but isn't actually pulling any emails through :-(
Edit2: This actually DOES work for me. I had no emails coming through for about an hour (on this mailbox, other mailboxes continued to work) and then as if by magic they started flowing through!
KevinTheJedi
PHP 8.1.30
osTicket 1.18.1
Oauth Plugin 0.6
TBH, I don't know for sure if we're running the latest build. I had updated it after the Token-timeout issue was supposed to have been resolved, but we never noticed a difference. I'm probably blind for not seeing the plugin version be referenced anywhere...what's the current version?
Would it break anything if I deleted the plugin from our installation and installed the current one that's posted (recognizing I'd need to do this code fix again)?
0.6 is latest but we don’t update the versions on the plugins as often because it’s usually very minor changes. So you really have to go off of when you downloaded it.
Don’t delete from UI just delete the existing PHAR and replace it with the latest build.
Cheers.
KevinTheJedi Thanks! I've replaced it as of today, so hopefully all our osticket problems are now resolved! You've been a great help!
- Edited
PHP 8.0.27
MySQL 8.0.15
osTicket 1.17.5
Oauth Plugin 0.6
Windows Server 2022
I've been using OAuth2 and just ran into this issue. I've followed the steps to unpack the auth-oauth2.phar file and edit the database. Everything there matches what @KevinTheJedi wrote here (https://forum.osticket.com/d/105728-ms-oauth2-error-the-api-version-v2-has-been-depreciated/41). OAuth2 authorization is successful, but I'm getting the 5.7.3 Authentication unsuccessful on the outgoing (SMTP).
In addition, these are full mailboxes, not shared. Authenticated SMTP (and all other protocols) is enabled on the user's mailboxes.
Check if the API Permission is added and admin consented in the app registration. Make sure the user has Authenticated SMTP enabled in O365. Also make sure the user doesn’t have a policy attached that restricts/blocks SMTP.
Cheers.
- Edited
KevinTheJedi
Thanks for the reply. I've verified the API permissions and Authenticated SMTP. No policies in effect that would restrict/block SMTP.
KevinTheJedi These are real/full user mailboxes.
KevinTheJedi
Yes, I am. The enterprise app and app registration is shared among all of the email accounts within osticket, but I am using an incognito window and authenticating with each unique user/mailbox login. Also, if it matters, I’m using the tenant-created accounts with onmicrosoft.com logins/addresses. It’s been setup that way since changing over to OAuth.
Then you should be fine. Maybe disable SMTP, reenable it, and retest for each account?
Cheers.
- Edited
We also have this problem with SMTP.
The "hack" worked OK for the accounts we use to only receive email, but the account we use to send cannot authenticate:
This is not a new account, used to work fine up until yesterday.
Thanks for confirming. I have disabled and enabled Authenticated SMTP for these accounts and will be testing in a few hours.
I created a ticket with Office 365 support and they recommended a test via powershell:
Let's first turn off MFA, Conditional Access Policies, Security Default.
Then you could run PowerShell commands below to narrow down done if the issue occurs within our side. If the PowerShell command can send successfully, then the issue occurs within just the app scope but not from our side.
$cred = get-credential
Send-MailMessage -To "user@domain.com" -from "user@domain.com" -Subject 'Test message' -smtpserver smtp.office365.com -usessl -Credential $cred -Port 587The results of that test email were successful and I received it from one of the accounts that is used by OSTicket.
Then I am unsure. It’s working for everyone else so it’s a config issue somewhere in your end.
Cheers.
KevinTheJedi As I said it's not working for us either, so it's definitely not working for "everyone else". Has anyone else confirmed specifically that SMTP works for them?
- Edited
The only thing I can recommend at this point is to maybe create a brand new App Registration in Entra and following the osTicket OAuth2 documentation exactly as it states. Also, you should now be using the Scopes of offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send.
As long as you modify the plugin as stated above, use the correct Scopes, and authenticate as the correct user you should have no issues. I just retested with my O365 personal email and it's working as intended for both IMAP and SMTP using these instructions.
Cheers.
I don't think that's it otherwise the token wouldn't have worked for Remote Mailbox tab.
Cheers.
KevinTheJedi Many thanks, working perfectly ... after I butchered the PHP file.
KevinTheJedi
i got the plugin edited, i cant seem to figure out how to manipulate our database. i was able to login to mariadb, i got to the database, and tablet contents, but im strugging to put together the right update command to change the install path and the 1 to 0. can you provide any help on this? also, im using Government 365 if that matters.
- Edited
Ahhh then you have completely different endpoints and everything. All endpoints for O365 government end in .us instead of .com. Furthermore SMTP is typically disabled for Government tenants and you typically use a relay for that.
As for the SQL, you should use a GUI tool instead if you don’t know how to run/write SQL statements as you can mess up quite a bit. I would recommend HeidiSQL for windows and Sequel Ace for Mac.
If you require a manual query you would just simply run:
UPDATE %TABLE_PREFIX%plugin SET `install_path` = 'plugins/auth-oauth2', `isphar` = 0 WHERE `id` = %PLUGIN_ID%;Replace %TABLE_PREFIX% and %PLUGIN_ID% with their respective values.
Cheers.
Confirming the changes worked for us
symoss
Did you find a solution to this? I'm getting the same error.
KevinTheJedi
ok, so do i stop what im doing and make a relay connection? or can i continue to follow your instructions with HeidiSQL to get a solution? or am i the Guinea Pig to see if it works on the gov side?
You can continue I’m just relaying my experience with these tenants. The relay should already be there however if not you can enable and use SMTP. It’s up to you.
Cheers.
Thanks, that's exactly what I ended up doing. I was unable to resolve the issue any other way.
- Edited
its working. confirmed the changes and authentication is working well.
@KevinTheJedi can confirm the modified plugin callback function got things running again for us
sharing my steps for anyone who needs a little more detail. Following KevinTheJedi's modification suggestion.
i enabled ssh, connected via Filezilla, found the files we needed to edit through there. was struggling to use nano to edit the file. im using MariaDB, with Kevin's suggestion, i used HEIDISQL to remotely access and view my database. i used this walk through, to enable remote access from one IP address, to the SQL database https://community.time4vps.com/discussion/636/ubuntu-how-to-allow-mysql-mariadb-remote-connections-in-ubuntu-server
once connected, i found OST_Plugin in my database, the data tab let me edit the Oauth2 client path, and isphar number.
thanks @KevinTheJedi and others
@KevinTheJedi can confirm that the revised plugin callback function has everything up and running again. Thanks for your help!
- Edited
neilmcdowell I tried with Basic authentication as mentioned by @jens_E and @mrudella but it didn't work for me. I'm getting 5.7.139 error. I searched online and saw some "solutions" about using Conditional Access Policies but we don't have this enabled in our Entra subscription. The other "solution" would be to disable security defaults for all users but I didn't want to do that.
So back to modern authentication and I think that I finally got it working after a few hours!
I didn't create a new app as suggested by @KevinTheJedi , I went into the plugin in osTicket and deleted the corresponding instance(s). Then I completely deleted the email account as well (it was easy for me because we only used this account for sending). Then I created it again, used the same settings as before, but changed the Scopes to "offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send" as suggested by Kevin (don't know if this made a difference).
I saved and got the token, then went to the Outgoing (SMTP) tab, enabled and it worked.
//edit: Actually there's another difference, I was using an alias before in the account's "Email Address" field. I also changed this to the "proper" address. I was doing this because an agent also had this address so it didn't let me use it for the account, but now I switched them (put the alias to the agent and used the proper one for the account)
symoss Thanks for coming back to me. Much appreciated. I got it working using basic authentication but I'd much prefer to have all access working through Oauth2. Maybe I'll recreate it all when time allows.
KevinTheJedi
Hey Kevin.
The code changes you did here worked fine, but we also had to apply the scope change of offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send from jerer (https://forum.osticket.com/d/105728-ms-oauth2-error-the-api-version-v2-has-been-depreciated/12) to make it accept the scopes. With the combined changes, it seems to work as expected with MS365 accounts (business, not personal, addresses).
I will admit this seems like a hacky approach having the changes in the plugin and the scope changes, but otherwise it wouldn't send AND receive properly.
Of course, all of that was explained above in this thread. I even mentioned the scopes at some point as well.
Of course it “feels hacky” because you are modifying the code directly. The same changes will be included in the official build so nothing hacky about it. The scopes are actually recommended by ms themselves so nothing hacky about that either.
Cheers.