MS OAuth2 Error: The API version 'V2' has been depreciated.: Page 3

MS OAuth2 Error: The API version 'V2' has been depreciated.

KevinTheJedi

For now try the following until ms fixes their issue:

https://forum.osticket.com/d/105728-ms-oauth2-error-the-api-version-v2-has-been-depreciated/12

Cheers.

jerer

KevinTheJedi
I understand that Outlook IMAP/SMTP/POP does not work if any Graph scopes are used. That's why you have been using the Outlook REST API.

And now that the Outlook REST API has been deprecated (for many years) and decommissioning has begun, we can't use that anymore. The replacement for that is the Graph API, but I do understand we cannot use that either with the same access token we use Outlook IMAP/SMTP/POP.

The only solution to this problem is to create 2 access tokens, one scoped for Graph and one scoped for Outlook IMAP/SMTP/POP. Or give us an option to skip that API call completely.

That's what I have been trying to point out (since 2 years ago). I know dealing with these Microsoft things must be annoying, but it is what it is.

KevinTheJedi

jerer

Why are two tokens needed...that definitely seems like an issue on their end that they need to address.

The only reason the User Endpoint is used is to verify the email matches during token creation. Once the token is created it doesn't matter and it's not used; all outlook resources are used at that point. You can disable strict matching if it's giving you difficulties. But once you get a token you'll see authentication fails. The token is retrieved using the endpoints the app registration gives you.

Cheers.

KevinTheJedi

jerer

Just tried getting Graph token using graph scopes and endpoints and same issue. I was able to get a token successfully but can't auth to IMAP using Graph tokens... so definitely an issue on Microsoft side that they need to address.

Cheers.

jerer

KevinTheJedi
Yeah I can agree this is at least horrible design by Microsoft. The thing is, it has been like this for years and I don't see them fixing it :/

https://stackoverflow.com/questions/61597263/office-365-xoauth2-for-imap-and-smtp-authentication-fails/61678485#61678485

https://techcommunity.microsoft.com/t5/exchange/cannot-connect-to-imap-and-smtp-using-oauth2-0-to-exchange/m-p/1359651

This is not the only thing we have been struggling with since the introduction of Graph and things being deprecated by it.

jgesemondo

Hola,
OSticket ya no funciona mas con O365?

cmusicfan05

jerer

Confirmed that this works. Sucks to have to use a workaround, hopefully MS will fix something and it'll go back to working the right way at some point...

Dav1d

These IdP settings changes seems to work for me after receiving this error:
array ( 'code' => 'Gone', 'message' => 'The API version \'V2\' has been deprecated.', )

All other settings as: https://docs.osticket.com/en/latest/OAuth2/Microsoft%20Authorization%20Guide.html

KevinTheJedi

Dav1d

Yea but try to save the Remote Mailbox with IMAP configured and enabled and you'll see authentication fails.

Cheers.

KevinTheJedi

@jerer

I just did a test to remove the call to the user endpoint and it gets a token but still same authentication failed message when attempting to authenticate to IMAP and SMTP. So this definitely appears to be an issue on their end as I can't even auth using a token I'm given.

Cheers.

jerer

KevinTheJedi
This is weird, things work fine for me at the moment (after removing the call to the user endpoing API). Did you forget some other scopes there? (like openid, User.Read, etc.).

Can only use offline_access and https://outlook.office.com/XXXXXX scopes or IMAP/SMTP/POP authentication fails.

KevinTheJedi

@jerer

To test this yourself you can unpack the plugin (cd to the plugin directory and run php -r '$phar = new Phar("auth-oauth2.phar"); $phar->extractTo("./auth-oauth2");'), edit the auth-oauth2/oauth2.php file, and update the callback() method for class OAuth2EmailAuthBackend to the following:

    public function callback($resp, $ref=null) {
        $errors = [];
        $err = sprintf('%s_auth_bk', $this->account->getType());
        try {
            // MOD
            //if ($this->getState() == $resp['state']
            //        && ($token=$this->getAccessToken($resp['code']))
            //        && ($owner=$this->client->getResourceOwner($token))
            //        && ($attrs=$this->mapAttributes($owner->toArray()))) {
            if ($this->getState() == $resp['state']
                    && ($token=$this->getAccessToken($resp['code']))) {
                $this->resetState();
                $info =  [
                    'access_token' => $token->getToken(),
                    'refresh_token' => $token->getRefreshToken(),
                    'expires' => $token->getExpires(),
                    'resource_owner_id' => $token->getResourceOwnerId(),
                    //'resource_owner_email' => $attrs['email'],
                    'resource_owner_email' => $this->getEmailAddress(),
                ];
/*
                if (!isset($attrs['email']))
                    $errors[$err] = $this->error_msg(self::ERR_EMAIL_ATTR, $attrs);
                elseif (!$info['refresh_token'])
                    $errors[$err] = $this->error_msg(self::ERR_REFRESH_TOKEN);
                elseif (!$this->signIn($attrs)) {
                    // On strict mode email mismatch is an error, otherwise
                    // set email address being authorized as the resource
                    // owner - with the assumption that a global admin
                    // authorized the account.
                    if ($this->isStrict())
                        $errors[$err] = $this->error_msg(self::ERR_EMAIL_MISMATCH, $attrs);
                    else
                        $info['resource_owner_email'] = $this->getEmailAddress();
                }
*/
                if (!$info['refresh_token'])
                    $errors[$err] = $this->error_msg(self::ERR_REFRESH_TOKEN);
                // END

                // Update the credentials if no validation errors
                if (!$errors
                        && !$this->updateCredentials($info, $errors)
                        && !isset($errors[$err]))
                     $errors[$err] = $this->error_msg(self::ERR_UNKNOWN);
            }
        } catch (Exception $ex) {
            $errors[$err] =  $ex->getMessage();
        }

        // stash the results before redirecting
        $email = $this->getEmail();
        // TODO: check if email implements StashableTrait
        if ($errors)
            $email->stash('errors', $errors);
        else
            $email->stash('notice', sprintf('%s: %s',
                        $this->account->getType(),
                        __('OAuth2 Authorization Successful')
                        ));
        // redirect back to email page
        $this->onSignIn();
    }

Then login to the database, go to the _plugin table, modify your OAuth2 plugin record, set the install_path to plugins/auth-oauth2 (just remove the .phar), and set isphar to 0. Now the system will use the unpacked plugin with the custom changes.

With the above changes applied the system will skip the user endpoint altogether during token retrieval. You will then get a token successfully (as previously) but then when you try to authenticate using that token you are given it doesn't work (go figure).

Cheers.

sjswarts

KevinTheJedi

Are you talking about this?

KevinTheJedi

Does this fix the IMAP receive too?

ericbrun

KevinTheJedi
Hi, It's work for me too. Thank you ! You save my day !

NewbieSteve

KevinTheJedi

Hi, the fix worked for me, thank you for the assistance.

swmitchell43

KevinTheJedi Could you let me know if this works in cmd or powershell, I tried bot and doesnt seem to do anything.

lokemis

KevinTheJedi I can confirm this got us going today, i hope it sticks. Are the endpoints truly deprecated?

njohnson

KevinTheJedi I followed the instructions the best I could (I'm not familiar at all with php - our osTicket installation is done via a one-click installer in cPanel), but once I make the db change, I get a HTTP 500 error when I try refreshing the page.

I replaced the entire "public function callback($resp, $ref=null)" from { to } with your code. Was that the right approach, or should I be looking for a different section of the oauth2.php file?

(I know I did something wrong, but I don't know what. When I change the db reference back to the .phar file, the page loads correctly)

bbertling

KevinTheJedi
i got the plugin edited, i cant seem to figure out how to manipulate our database. i was able to login to mariadb, i got to the database, and tablet contents, but im strugging to put together the right update command to change the install path and the 1 to 0. can you provide any help on this? also, im using Government 365 if that matters.

teward001

KevinTheJedi
Hey Kevin.

The code changes you did here worked fine, but we also had to apply the scope change of offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send from jerer (https://forum.osticket.com/d/105728-ms-oauth2-error-the-api-version-v2-has-been-depreciated/12) to make it accept the scopes. With the combined changes, it seems to work as expected with MS365 accounts (business, not personal, addresses).

I will admit this seems like a hacky approach having the changes in the plugin and the scope changes, but otherwise it wouldn't send AND receive properly.

lstrom

KevinTheJedi I apologize as I am trying to follow your solution. I run Powershell as an admin, run the CD command to the plugin directory and run the exact command, but I am not seeing the output. Is the oauth2.php file expected to be in the parent directory or should the command be creating a "auth-oauth2" directory and placing the file there? I am confident I can follow the rest of what you have outlined, but I am not seeing what I would gather to be the expected result from the "php -r" command.

travisn

KevinTheJedi For some reason, using powershell i'm getting errors when trying to do this.

Do we have a long-term fix for this? Are there plans to update the plugin? Even if I could somehow get the extracted files just so I can get working.

ElbowNi

KevinTheJedi
Offline I extracted the contents of the phar,
php -r '$phar = new Phar("auth-oauth2.phar"); $phar->extractTo("./auth-oauth2");'
then changed the section in the oauth2. php, then recompiled the phar:
php -d phar.readonly=0 -r '$phar = new Phar("auth-oauth3.phar"); $phar->buildFromDirectory("./auth-oauth2");'
I then pasted the new phar over the existing .phar, I assume I don't need to make changes to the db as they have the same name.
I now have a green token, now but no mail is being scavenged. Any ideas why?

it-law-man

KevinTheJedi When attempting this fix I am getting a 500 error after refreshing the webpage. Just want to make sure that im supposed to replace what was previously in that section of uaoth2.php with what you've provided?
Reverting the changes back in the _plugin table immediately lets me load the helpdesk. Gotta be something wrong with my oauth2.php im guessing.

osTicket Version v1.18 (724de45)
Web Server Software Apache/2.4.41 (Ubuntu)
MySQL Version 8.0.39
PHP Version 8.1.22

Edit: Fixed this by downloading a fresh phar and redoing the process! Now just getting AUTHENTICATE failed when saving. So going to read further up as I'm pretty sure this was mentioned before

Edit2: I'm just going to take a nap. I spelled the email wrong when I tried deleting and recreating. All is working now. Thanks as always!

PaulRiGr

KevinTheJedi
Yesterday we ran in this problem, after editing the plugin its working fine.
We're using exchange online usermailbox with 2FA.

Thanks.

No-U-turn

KevinTheJedi

I have tried this for the error
array ( 'code' => 'Gone', 'message' => 'The API version \'V2\' has been deprecated.', )

Update the callback() method, run this caommand inside plugin directory "php -r '$phar = new Phar("auth-oauth2.phar"); $phar->extractTo("./auth-oauth2");" , update the table ost_plugin install_path to plugins/auth-oauth2 and ispher 0.

Still the error persistent. osTicket (v1.18)

Anything else to try please ?

KevinTheJedi

jerer

That's exactly what I used offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send.

Cheers.

KevinTheJedi

!!! ANNOUNCEMENT !!!

Everyone still experiencing this issue:
Please retest after following these instructions to see if it starts working again:

https://forum.osticket.com/d/105728-ms-oauth2-error-the-api-version-v2-has-been-depreciated/41

Once I get enough confirmations that the changes work I'll make the changes official.

jerer

KevinTheJedi
Although I already bypassed it the other way, I still would like to confirm I tested this modification and it works. Thanks for looking into this!

archercentauri

KevinTheJedi Hi Kevin, My brain hurts after such a long day... I will however try tomorrow and come back to you. Thanks for your assistance in advance.

LucaBallBCPOP

KevinTheJedi I'm confirming your proposed change does work with a businessaccount.

RBGE

KevinTheJedi Just to add another confirmation, this modification worked for me when using a shared mailbox. However, I did log into the shared mailbox directly (yes, I know - not best practice but it works), so I'm not sure this provides any additional information for confirmation of a fix 😐️

Thanks for the modification! I suspect a lot of people will have expired client secrets around now given it's just over 2 years since the plugin was released!

rodrigocaicedo

KevinTheJedi this fix works on my end, at least to register a new email address using microsoft oauth2. I haven't test yet if it receives and sends email, but at least it allowed me to save the email.

asmith3006

KevinTheJedi ~~This worked for me.~~

~~This authenticated for me, but isn't actually pulling any emails through :-(~~

Edit2: This actually DOES work for me. I had no emails coming through for about an hour (on this mailbox, other mailboxes continued to work) and then as if by magic they started flowing through!

JoePearse

KevinTheJedi Can confirm this worked for me.

magagninos

KevinTheJedi I just apply your instruction to my osticket instance and it's now work fine. Thanks a lot!

KevinTheJedi

jerer

So I’m assuming my account is just fucked up then. Because I always had a dev account but it expired so now I’m using my personal account and this is the one that’s not authenticating (yes I created a brand new registration using the personal account, etc.). I contacted MS to see what’s going on so unfortunately I’m at their mercy. Glad my changes are working for you though. Once I get more confirmations I’ll clean it up and make it legit.

Cheers.

jfields

I've modified the plugin... What other settings should we use for the Auth, Token and Scopes?

KevinTheJedi

jfields

Same everything just do the modifications listed in the post.

Cheers.

jfields

KevinTheJedi,

I get an AUTHENTICATE failed using the same settings but modifications to the plugin.

KevinTheJedi

jfields

That’s the same thing I get but @jerer says otherwise. Maybe try offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send for the scopes?

Cheers.

« Previous Page Next Page »