Redirect URI for oAuth2 plugin is invalid

mdaly

Greetings all,
We have recently upgraded our osTicket instance to version 1.18 in order to utilize the Microsoft MFA plugin for checking messages in our environment. The company has recently moved to MS365 from Gmail. Previously, IMAP was accessible by default.

Symptom: After configuration of the IDP settings in the oAuth2 plugin for Microsoft MFA, the negotiation to establish MFA and receive a token fails because the Redirect URI cannot be found. The process never fully establishes a valid authentication.

osTicket version 1.18
Mail Sending: oAuth2 MFA for Microsoft
Mail Fetching/Receiving: oAuth2 MFA for Microsoft
PHP version: 8.2.25
Operating System: Debian 6.1

MFA configuration is set:
Two notes about this configuration that are we had to adjust or seem to be problems in the plugin configuration:

The authorization endpoints contain "common" by default and the necessity for any single instance tenant configuration would be to change this to the tenant identifier. We made this change.
The Callback Endpoint was pre-populated by the plugin during configuration.

After the iDP configuration is submitted, the MFA process starts, accepts our user/pass and MFA auth code. The final step then fails to resolve the redirect URI and thus never stores the auth success.

Findings:
The URI that is constructed in the Redirect URI endpoint is not an on-disk valid path. https://t-l-d/osticket/api is valid, but the api folder does not contain an auth subfolder and beyond.

When investigating some of the php, we notice that the construction of this URL seems to be expecting this as a final result: https://dev3.sec.kmbs.us/osticket/api/http.php/auth/oauth2.

But when attempting to plug that URL into the iDP configuration of the plugin we are met with the below error, which we assume means that despite what we are seeing in the php, this is not a valid URL.

It has been a challenge to get the needed assistance from our IT team, but now that we have what we need from them, this is our final sticking point to getting back to using osTicket.

Thank you, in advance, for any thoughts or assistance on this matter.

KevinTheJedi

mdaly

You don't have the URL Rewrite module installed and enabled for the site. Of course it's not an on-disk path; it's an API endpoint. Remove the "/http.php" from your Redirect URI as that's invalid. You simply need to install and enable the URL Rewrite module for your site.

Cheers.