OpenID Authentication for Microsoft in osTicket

cbasolutions · Apr 9, 2018

Initial Release - 2018-03-29Version .1Implementation of Open ID authentication for osTicket.Tested with personal and work accountsTested on LAMP stack with PHP 7.0.28, osTicket v1.10.1Tested on LEMP stack with PHP 7.2.3-1, osTicket v1.10.1osTicket on LEMP requires additional rewrite rules. This recipe is a good starting point. You'll want to change the following:location ~ ^/api/(?|tasks).*$ { try_files $uri $uri/ /api/http.php?$query_string;}to:location ~ ^/api/(?|tasks|auth).*$ { try_files $uri $uri/ /api/http.php?$query_string;}osTicket has other issues with PHP 7.2Configuration options for auth URL, endpoint, scope, client ID (application ID), and secretAdditional options for domain whitelists on staff and client logins, enabling the plugin separately on staff and client logins, plus hiding the local login sections.Hiding the local logins allows for public registration to be enabled so that accounts don't have to be created in advance Install - Upload the phar file to your osTicket/include/plugins directory. blank

cbasolutions · Apr 10, 2018

Basic SetupNavigate to https://apps.dev.microsoft.com and create a new applicationDon't use the guided setupGenerate a new password. This is the password for the "Client Secret" field.Add a platform and choose "Web"The Redirect URL should point to your osTicket URL. E.g. https://helpdesk.example.com/api/auth/extIt is strongly encouraged to use SSL. This has only been tested with SSL. Optional: Upload a logoSet the Home page URL. E.g. https://helpdesk.example.comCopy the Application Id and paste it into the "Client ID" field in the plugin. Use "https://login.microsoft.com/common" for the Authority URLUse "/oauth2/v2.0/authorize" for the Authorization EndpointUse "openid profile" for the scopes

cbasolutions · Jun 23, 2018

v .2 UpdateI added support for osTicket Awesome theme and corrected an issue with detecting the staff/client login page. I have only tested this on a LEMP stack with php 7.0.30 with and without osTicket Awesome installed. There's an issue in the instruction set above where I put the authority URL as login.microsoft.com it should be login.microsoftonline.com as is noted in the screenshot.

babgond · Aug 12, 2018

Hello, thank you for your plug-in.I installed the plug-in in OSTicket. (1.10.4)I followed your instructions for the setting.When I click on the button "Sign in Microsoft" in the page login.php, then I arrive on the page "https://login.microsoft.com/common/oauth2/v2.0/authorize?client_id=3b5dd93. .... ". When I enter my email address name@company.ext, I have a message that tells me he can not find my account."There was a problem finding your account, click Next to try again."Should we allow something in MS Azure?Thank you

babgond · Aug 14, 2018

Hello, I have advanced a little,

In the plug-in, in the "Authority URL" part, I replaced "" https://login.microsoft.com/common/ "with" https://login.microsoftonline.com/common "now my account office 365 Edu is recognized, however after having validated my password, I come across this page: "https: //mydomain.ext/osticket/api/auth/ext"

"File not found"

Do you have any idea what this could end?

Thank you

99grams · Oct 24, 2018

Hi cbasolutions,
I went thru all the process you have shown but still stucked on "reply URL not matched error".
I'm using osTicket Version v1.10.4 (035fd0a) on Apache with MySQL 5.7.23 & PHP 5.6.38. Here are the screenshots, could you please help me set up this thing.
Many thanks

M-elnady · May 22, 2019

Hi,
Thank you for this helpful plugin, but i do have a question please.

After following all of the instructions, the scenario is like this:
- I sign in into my Microsoft account, success, then redirected to http://mydomain.com/api/auth/ext.
- Now a blank page?! why doesn't it redirect to the main homepage or tickets page for example?
- I need to get back to the homepage of 'OsTicket' myself and then click Sign in then Voila!, i am signed in!

I have tried for a couple of days now, searching for a solution to no avail, I even downloaded your source code to try to understand what is going on and how to fix this, but also didn't get to any result.

So if you could give me any hint bout why this is happening or what can i do to fix this i would be really grateful ?

Thank you,

machihkfyg · Jun 20, 2019

Hello,

Also I am not clear about the correct setup. Does anyone can share its successful guide.

Thanks!

machihkfyg · Jun 21, 2019

Hello,

I also got same problem of error code AADSTS50011 as above.

Did anyone can advise how to solve it?

Thanks!

MrDeanoB · Jul 4, 2019

M-elnady did you change your nginx config to reflect this:

location ~ ^{/api/(tickets|tasks)(.*)$} {

to

location ~ ^{/api/(tickets|tasks|auth)(.*)$} {

This should then pick up the /auth part in the URL and action it correctly.

MrDeanoB · Jul 4, 2019

This plugin works well but did take a couple of attempts to get it working correctly. There does seem to be one item not working - logging out. Choosing logout does, indeed, log you out of OSTicket but does not log you out of your microsoft account. Not sure if this intended functionality.

I also had to add the domain name into the allowed email domains for staff and had to create an agent login dropping the domain name e.g Microsoft login is bill@smith.com. You need to add smith.com to allowed email domains for staff and create an account with a username (no password needed) of bill.

If you are providing client access then the same rules apply.

MrDeanoB · Jul 4, 2019

babgond I had the same issue. I needed to do a couple of things.

Add your domain name to "allowed email domains for staff"
Make sure your username reflects the bit before the @ in your domain name eg. bill@smith.com requires you to have a username of bill

Once I had done this I could use the plugin successfully

mitchellk · Jul 9, 2019

Has anyone managed to get this to work with Office 365 & Apache? I can get it to redirect me to Microsoft to login, but then once I authenticate, I get trapped in a loop, it's as though it doesn't send me back to osTicket.

System Info below.

I also had to change the Endpoint to this as it wasn't happy that I was trying to use a public one with my O365 account.

machihkfyg · Jul 19, 2019

Hello,

I also using Apache with no idea how to config it but still no idea.

I saw there are some different of Authority URL and Authorization Endpoint.

https://login.microsoftonline.com/organizations
vs
https://login.microsoft.com/common

and

/oauth2/v2.0/authorize
vs
/oauth2/authorize

Can someone share which should I config?

Thanks!

Diego_Morientez · Aug 20, 2019

Hello machihkfyg and mitchellk

I had the same issue.

I share my solution

The main plugging configuration:

Authority URL: * https://login.microsoftonline.com/common (multi tenant)
or
Authority URL: * https://login.microsoftonline.com/{Directory (tenant) ID} (Single tenant)

Authorization Endpoint: /oauth2/v2.0/authorize

And the bug with the url blank "api/auth/ext" with apache. The file .htaccess is fine, don't modify the file, the problem is the site location.

I modified the code inside the auth-openid-MS.phar.

The line with:
if ($_SERVER['SCRIPT_NAME'] === '/login.php' || $_SERVER['SCRIPT_NAME'] === '/open.php')
to
if (strpos($_SERVER['SCRIPT_NAME'],'/login.php') !== false || strpos($_SERVER['SCRIPT_NAME'],'/open.php') !== false)

Because, mi site work in domain.com/osTicket/, and the original condition don't match, and one Cookie param in never created.

And

The line with:
if ($_COOKIE['LOGIN_TYPE'] === 'CLIENT') header('Location: /login.php');
To

$url_home = rtrim($ost->getConfig()->getURL(), '/');
$sections = parse_url($url_home);
$sub_dir = isset($sections["path"])?$sections["path"]:"";
  
if ($_COOKIE['LOGIN_TYPE'] === 'CLIENT') header('Location: '.$sub_dir.'/login.php');

Because my site work inside a sub-directory, and i need to get a good location.

I hope this could be useful for your!

My english is a work in progress

Best wishes

karmakoma · Nov 11, 2019

Hello Guys,
I am encountering the same error.,..is there any clue how to fix it??

Actually as redirect URI I inserted the URL of the website in azurewebsites (the Application is developed as App Service)...

karmakoma · Nov 15, 2019

Nobody can collaborate? it seems totally usefulness this tool if there is no possibility to synchronize with Active Directory

Diego_Morientez · Nov 15, 2019

Are you adding "api/auth/ext" at the end of your URL?

For example: https://yourdomain.com/api/auth/ext

I use this url pattern at least in two project, running on Apache Server.

The tool set this part of the url automatically when call the Active Directory Authentication. So, this URL must match with the info inserted in the section Redirect URI's

You can use the dev console from Chrome, Firefox to find the URL send to Azure Active Directory.

[UPDATE]

I added some image for references. The field: redirect_uri is the url that you must insert in the list of Redirect's Uri's

karmakoma · Nov 18, 2019

SO I setup my website in Azure App Registration as:

https://mywebsite.azurewebsites.net/api/auth/ext

but still I get this error: how did you setup the App Registrationtion redirect??

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'xxx...'

karmakoma · Nov 19, 2019

karmakoma Can you share the configuration???

karmakoma · Nov 19, 2019

Again and again and again...."AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'app-id'."

stroemmma · Feb 13, 2020

All good on osTickets 1.14 , but when the password is accepted , the MS reply : AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application:
I think it is about Redirect URI in Azure ( for ex https://nume.com/api/auth/ext ) and only https is accepted here
osTickets has a number of rewrite insteed , in .htacces and /api/http.php and I think is not correct the response
How can I resolve this ?

sombiwood · Mar 30, 2020

MrDeanoB Hello, could you please help me with this configuration, I already have everything configured correctly, the only problem is this.

sombiwood · Mar 31, 2020

cbasolutions Please help me, I use apache and I have the problem of redirection after login to / api / auth / ext, what should I do?

thaihoangcfc · Aug 10, 2020

Diego_Morientez your solution breaks the phar file and osTicket detects it as defunct or missing.

Any solutions for Apache?

musyne · Sep 17, 2020

I've followed the instructions, Microsoft doesn't complain when I log in but when I'm redirected to mydomain.com/api/auth/ext the only thing I see is "No input file specified."
Any idea?

EDIT: found a solution. I switched from FCGId to FPM for my PHP execution mode and it works fine now.

psyborgison · Feb 24, 2021

thaihoangcfc

I've recently got this working with the tips from @Diego_Morientez re the plugin not matching a subdirectory.
centos/apache

Was only concerned with staff login so:

Here's how you extract/pack files from phar:
1st have to set the ability to write phars changing readonly to oFF in /etc/php.ini
;phar.readonly = On
phar.readonly = Off
then go to where u keep the phar file. Create a tmp dir
mkdir t
cd t
phar extract ../auth-openid-MS.phar
you get:
authentication.php
config.php
openid-MS.phar
openid_ms.php

edit openid_ms.php
for me was ( swap SUB_NAME for your subdir)
39c39

< if ($_COOKIE['LOGIN_TYPE'] === 'STAFF') header('Location: /SUB_NAME/scp/login.php');

if ($COOKIE['LOGIN_TYPE'] === 'STAFF') header('Location: /scp/login.php');
53c53

< if ($_SERVER['SCRIPT_NAME'] === '/SUB_NAME/scp/login.php' || $_SERVER['SCRIPT_NAME'] === '/open.php') {

if ($SERVER['SCRIPT_NAME'] === '/login.php' || $SERVER['SCRIPT_NAME'] === '/open.php') {
137c137

< if ($_SERVER['SCRIPT_NAME'] === '/SUB_NAME/scp/login.php') {

if ($_SERVER['SCRIPT_NAME'] === '/scp/login.php') {

Now. re-pack -
phar pack -f new_phar.phar *.php
now make a copy of original
cd ../
cp auth-openid-MS.phar auth-openid-MS-original.phar
cp t/new_phar.phar auth-openid-MS.phar

The next part is you need to make sure the agent has auth "any_available_" if not already set.

juantinajero · Mar 4, 2021

in my config, after clic on LOGIN show a BLANK screen

ntozier · Mar 4, 2021

A blank screen usually indicates a PHP error. Please consult your PHP error logs and post the resulting error here.

Yagnesh22 · Jun 7, 2021

Hi Diego_Morientez,
I have done all the config as said here and still I am getting blank page at url https://mydomain.com/osTicket/api/auth/ext
I am using apache server and i have done changes in openid_ms.php as said over here.
Still I am getting blank page after login successfuly via office365.
I need to configure this for staff as well as clients.

Do I need to create agents/clients before they login or it will create user based on openid login?

Please help me as soos as possible.

Thanks,
Yagnesh

Yagnesh22 · Jun 8, 2021

M-elnady
Hi,
I am also facing same issue. Please help me if you got any solution for this.

Thanks

JuVDC · Jun 8, 2021

Hey guys,
I have this blank screen issue sometimes too!

JuVDC · Sep 1, 2021

Hey there,

Has anyone managed to solve this blank page issue at https://mydomain.com/api/auth/ext ?

We're still experiencing it quite often. We've looked at error logs and here what we have:

Logs when no issue:

2021-09-02T12:30:46.533434000Z 172.28.69.5 - - [02/Sep/2021:12:30:46 +0000] "GET /scp/login.php?do=ext&bk=openid_ms.staff HTTP/1.1" 302 732 "https://mydomain.com/scp/login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"

2021-09-02T12:30:47.118811000Z 172.28.69.5 - - [02/Sep/2021:12:30:47 +0000] "POST /api/auth/ext HTTP/1.1" 302 312 "https://login.microsoftonline.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"

2021-09-02T12:30:47.178871000Z 172.28.69.5 - - [02/Sep/2021:12:30:47 +0000] "GET /scp/login.php HTTP/1.1" 302 600 "https://login.microsoftonline.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"

2021-09-02T12:30:47.351747000Z 172.28.69.5 - - [02/Sep/2021:12:30:47 +0000] "GET /scp/ HTTP/1.1" 200 19378 "https://login.microsoftonline.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"

2021-09-02T12:30:47.677194000Z 172.28.69.5 - - [02/Sep/2021:12:30:47 +0000] "GET /osta/uploads/MSF190231.jpg HTTP/1.1" 404 459 "https://mydomain.com/scp/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"

2021-09-02T12:30:47.771250000Z 172.28.69.5 - - [02/Sep/2021:12:30:47 +0000] "GET /scp/autocron.php HTTP/1.1" 201 361 "https://mydomain.com/scp/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"

Logs when the blank page shows up (doesn't go further than 2nd line - see HTTP status code 200 instead of 302):

2021-09-02T12:38:20.109544000Z 172.28.69.5 - - [02/Sep/2021:12:38:20 +0000] "GET /scp/login.php?do=ext&bk=openid_ms.staff HTTP/1.1" 302 732 "https://mydomain.com/scp/login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"

2021-09-02T12:38:20.467889000Z 172.28.69.5 - - [02/Sep/2021:12:38:20 +0000] "POST /api/auth/ext HTTP/1.1" **200** 283 "https://login.microsoftonline.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"

Any idea?

XKa-MSF-OCB · Sep 15, 2021

Referring to https://forum.osticket.com/d/99564-osticket-login-not-working-with-microsoft-edge-or-google-chrome/10
[speaking of current version (Release - 2018-06-23) of authorisation plugin "OpenID Authentication for Microsoft in osTicket" at https://github.com/cbasolutions/osTicket-Plugins/tree/master/auth-openid-MS ]

KevinTheJedi
2021-09-15T00:05:02+02:00

@XKa-MSF-OCB

Ah, okay. So since you are using a 3rd Party Plugin you'll need to contact the developer of the plugin for further assistance.

I was thinking this was an issue with the osTicket codebase but appears to be more of an issue with a custom, non-supported plugin.

I will now eject myself from this convo and leave you to contact the dev of the plugin.

Cheers.

Would you recommend any other (standard/supported) solution for authentication in osTicket via Microsoft by any chance?
I guess quite a lot of people/organisations would have such needs, right?

XKa-MSF-OCB · Oct 30, 2021

https://github.com/cbasolutions/osTicket-Plugins/pull/10

osTicket plugin "OpenID Authentication for Microsoft" (plugin ID: "auth:openid-MS") v0.2_XKa-MSF-OCB_2021.09.22.0, patched from original v0.2

Proposed fix for reoccurring problem with users being sidelined to a dead-end blank page "/api/auth/ext" on the osTicket server during authentication (osTicket PHP code being installed in the root of the web server or in a sub-directory), especially affecting Google Chrome (Mozilla Firefox seems more resilient to this problem)

See related osTicket forum posts, such as:

NOTE:
This fix has already been tested and validated in our production environment for more than a month now, our users have not reported this problem anymore since - so we wanted to give our little contribution to the osTicket open-source community with this amended plugin (both PHP source and packaged PHAR file)...
Hope this may help other people encountering similar problems.
Should you have any problem, question, objection, remark, suggestion, etc. , any (constructive) feedback is welcome...

ynienjcn · Nov 22, 2021

Hello, I am able to configure the plugin, and go through the windows login. However after login, microsoft said I couldn't sign in

I don't know what's the reason, when I checked OSticket with local login, I found when I enabled this plugin, this authentication method is not listed in Authentication Backend list, maybe that prevent MS authentication.

Can anybody give me some helps?
Thanks

ynienjcn · Dec 2, 2021

The issue is fixed, the plugins works great with osTicket V1.15.4. The issue I had before was caused be misconfiguration in Azure. When I set Enterprise Application properties "Assignment required" to "No". I can sign with my office365 account properly.

Thanks for the great Plugin.