Hello,

We've run into the Oauth2 issue and so I am looking at upgrading to resolve this. The issue I'm running into is that I started to follow the upgrade procedure and copied all of the files over for v1.18.1 but when I went to launch the site it said I needed to be at php 8.1 so I upgraded to php 8.1. Now when I try to login as an admin I get an Access Denied error. I've cleared the caches, and reset the browsers on multiple browsers. Is there something I'm missing or doing wrong?

Thanks,
Dan

  • KevinTheJedi replied to this.

  • I had to create a local account and I was able to upgrade, but now I'm having trouble with the token. Everytime I hit submit and it redirects to the MS login page, I sign in and then it redirects me back to the normal OSticket User login page. I never get asked for consent or anything. When I navigate back to emails it shows it's still not configured. Any idea why this would happen?

    dangorham

    Check all possible logs (general server logs, webserver error logs, PHP error logs, MySQL/MariaDB error logs, osTicket System Logs, Browser Console logs, etc.) for any related errors. If you can access the login page but can't login then that either means you are not an Admin (only Admins can login during Upgrade Pending state) or likely your Agent account is limited to an external authentication source which will likely not work as your system isn't upgraded yet. You will need to go to the db, go to the _staff table, and set your backend to NULL so you can login using your local osTicket password. If you don't have a local password you will need to set one using a bcrypt hash using 8 rounds of entropy. There are many free sites online that can generate one for you.

    In case you haven't seen it, we do have Upgrade Documentation here:

    Cheers.

      I had to create a local account and I was able to upgrade, but now I'm having trouble with the token. Everytime I hit submit and it redirects to the MS login page, I sign in and then it redirects me back to the normal OSticket User login page. I never get asked for consent or anything. When I navigate back to emails it shows it's still not configured. Any idea why this would happen?

      Well now, I'm no longer redirecting back to the normal user login page, but back to the email settings page with the error "invalid_client". I've copied the client id and client secret directly from 365. As well as double checked the Endpoint URLs. I'm not sure what else to try here.

      Kevin asked you to look at and provide logs with any errors.
      Without them its a shot in the dark as to what is happening, or why.

      That was for a previous issue I was having. I'm now having issues with the OAuth2 plugin. The system logs in OSticket do not show anything regarding this.

        dangorham

        Well, then please describe this new issue in detail so we can best assist.

        Cheers.

          I am unable to get the Microsoft authentication to work with the new plugin. When I click Submit on the IdP Config page it redirects to 365, I login with the email address I am trying to setup, but then it redirects back to OSticket and says "Invalid_Client" next to the Config button.

          I've triple checked all of the inputs, and copied directly from 365.

            dangorham

            That typically means something is misconfigured on the plugin side but could indicate other issues. Please post a screenshot of the configurations but blur out or censor the sensitive info like tenant id, client id, etc.

            Cheers.

              dangorham

              Are you certain the Client ID you pasted in the email auth configuration is the "Application (client) ID" from the App Registration? Are you certain the Client Secret the "Client Secret Value" and not the Client Secret ID?

              Cheers.

                Okay, so that was the issue, I was copying the wrong string for the Client Secret. It went through and is showing the token but when I hit Save Changes I am now getting this.

                I was able to login to 365 with all 3 emails I needed to setup, but all 3 are now throwing that up when I select save changes. When I go back into the configs all the settings are there and it is showing a token with a new expiration date. None of them are fetching though.

                  dangorham

                  It sounds like maybe IMAP is disabled in your tenant via a policy or potentially at each email level.

                  Cheers.


                    IMAP is enabled. These emails all fetched previously to the OAuth2 plugin needing to be updated.

                      dangorham

                      Then are you certain you authorized the correct email accounts? Did you do each one in an Incognito window and login as each mailbox when directed to Microsoft?

                      Cheers.

                        dangorham

                        Also ensure your all your Scopes are set to offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send.

                        Cheers.

                          Yes, I logged into each one in separate incognito windows. I've re-copied that Scopes string to be sure, and I am still getting the same error.

                            dangorham

                            Hmm, the only thing I can think of is to check the logs in Microsoft to see why it's failing authentication.

                            Cheers.

                              6 days later

                              So I've been working with my director to see if we can figure this out and we are still unable to get emails fetched. The MS logs show successful logins, IMAP is enabled, the token gets refreshed, but it still says Authenticate Failed when clicking Save Changes. Any other ideas?

                                dangorham

                                See if there is a policy attached to the user (on the microsoft side) that is restricting IMAP. They have commands you can run for each user to see if it's enabled, etc. You'd need to look at guides online for such steps.

                                If you are using a hosting company instead of running your own server/vm then I'd recommend reaching out to them to see if they disable external IMAP, etc. I've seen in the past where such restrictions from hosts causes such issues.

                                Cheers.