Hello,
I also got same problem of error code AADSTS50011 as above.
Did anyone can advise how to solve it?
Thanks!
OpenID Authentication for Microsoft in osTicket
13 days later
- Edited
This plugin works well but did take a couple of attempts to get it working correctly. There does seem to be one item not working - logging out. Choosing logout does, indeed, log you out of OSTicket but does not log you out of your microsoft account. Not sure if this intended functionality.
I also had to add the domain name into the allowed email domains for staff and had to create an agent login dropping the domain name e.g Microsoft login is bill@smith.com. You need to add smith.com to allowed email domains for staff and create an account with a username (no password needed) of bill.
If you are providing client access then the same rules apply.
babgond I had the same issue. I needed to do a couple of things.
- Add your domain name to "allowed email domains for staff"
- Make sure your username reflects the bit before the @ in your domain name eg. bill@smith.com requires you to have a username of bill
Once I had done this I could use the plugin successfully
4 days later
Has anyone managed to get this to work with Office 365 & Apache? I can get it to redirect me to Microsoft to login, but then once I authenticate, I get trapped in a loop, it's as though it doesn't send me back to osTicket.
System Info below.
I also had to change the Endpoint to this as it wasn't happy that I was trying to use a public one with my O365 account.
10 days later
Hello,
I also using Apache with no idea how to config it but still no idea.
I saw there are some different of Authority URL and Authorization Endpoint.
https://login.microsoftonline.com/organizations
vs
https://login.microsoft.com/common
and
/oauth2/v2.0/authorize
vs
/oauth2/authorize
Can someone share which should I config?
Thanks!
a month later
- Edited
Hello machihkfyg and mitchellk
I had the same issue.
I share my solution 
The main plugging configuration:
Authority URL: * https://login.microsoftonline.com/common (multi tenant)
or
Authority URL: * https://login.microsoftonline.com/{Directory (tenant) ID} (Single tenant)
Authorization Endpoint: /oauth2/v2.0/authorize
And the bug with the url blank "api/auth/ext" with apache. The file .htaccess is fine, don't modify the file, the problem is the site location.
I modified the code inside the auth-openid-MS.phar.
The line with:
if ($_SERVER['SCRIPT_NAME'] === '/login.php' || $_SERVER['SCRIPT_NAME'] === '/open.php')
to
if (strpos($_SERVER['SCRIPT_NAME'],'/login.php') !== false || strpos($_SERVER['SCRIPT_NAME'],'/open.php') !== false)
Because, mi site work in domain.com/osTicket/, and the original condition don't match, and one Cookie param in never created.
And
The line with:
if ($_COOKIE['LOGIN_TYPE'] === 'CLIENT') header('Location: /login.php');
To
$url_home = rtrim($ost->getConfig()->getURL(), '/');
$sections = parse_url($url_home);
$sub_dir = isset($sections["path"])?$sections["path"]:"";
if ($_COOKIE['LOGIN_TYPE'] === 'CLIENT') header('Location: '.$sub_dir.'/login.php');Because my site work inside a sub-directory, and i need to get a good location.
I hope this could be useful for your!
My english is a work in progress
Best wishes
3 months later
Hello Guys,
I am encountering the same error.,..is there any clue how to fix it??
Actually as redirect URI I inserted the URL of the website in azurewebsites (the Application is developed as App Service)...
Nobody can collaborate? it seems totally usefulness this tool if there is no possibility to synchronize with Active Directory 
- Edited
Are you adding "api/auth/ext" at the end of your URL?
For example: https://yourdomain.com/api/auth/ext
I use this url pattern at least in two project, running on Apache Server.
The tool set this part of the url automatically when call the Active Directory Authentication. So, this URL must match with the info inserted in the section Redirect URI's
You can use the dev console from Chrome, Firefox to find the URL send to Azure Active Directory.
[UPDATE]
I added some image for references. The field: redirect_uri is the url that you must insert in the list of Redirect's Uri's
SO I setup my website in Azure App Registration as:
https://mywebsite.azurewebsites.net/api/auth/ext
but still I get this error: how did you setup the App Registrationtion redirect??
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'xxx...'
karmakoma Can you share the configuration???
Again and again and again...."AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'app-id'."
3 months later
All good on osTickets 1.14 , but when the password is accepted , the MS reply : AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application:
I think it is about Redirect URI in Azure ( for ex https://nume.com/api/auth/ext ) and only https is accepted here
osTickets has a number of rewrite insteed , in .htacces and /api/http.php and I think is not correct the response
How can I resolve this ?
2 months later
MrDeanoB Hello, could you please help me with this configuration, I already have everything configured correctly, the only problem is this.
cbasolutions Please help me, I use apache and I have the problem of redirection after login to / api / auth / ext, what should I do?
4 months later
Diego_Morientez your solution breaks the phar file and osTicket detects it as defunct or missing.
Any solutions for Apache?
a month later
- Edited
I've followed the instructions, Microsoft doesn't complain when I log in but when I'm redirected to mydomain.com/api/auth/ext the only thing I see is "No input file specified."
Any idea?
EDIT: found a solution. I switched from FCGId to FPM for my PHP execution mode and it works fine now.
5 months later
I've recently got this working with the tips from @Diego_Morientez re the plugin not matching a subdirectory.
centos/apache
Was only concerned with staff login so:
Here's how you extract/pack files from phar:
1st have to set the ability to write phars changing readonly to oFF in /etc/php.ini
;phar.readonly = On
phar.readonly = Off
then go to where u keep the phar file. Create a tmp dir
mkdir t
cd t
phar extract ../auth-openid-MS.phar
you get:
authentication.php
config.php
openid-MS.phar
openid_ms.php
edit openid_ms.php
for me was ( swap SUB_NAME for your subdir)
39c39
< if ($_COOKIE['LOGIN_TYPE'] === 'STAFF') header('Location: /SUB_NAME/scp/login.php');
if ($COOKIE['LOGIN_TYPE'] === 'STAFF') header('Location: /scp/login.php');
53c53< if ($_SERVER['SCRIPT_NAME'] === '/SUB_NAME/scp/login.php' || $_SERVER['SCRIPT_NAME'] === '/open.php') {
if ($SERVER['SCRIPT_NAME'] === '/login.php' || $SERVER['SCRIPT_NAME'] === '/open.php') {
137c137< if ($_SERVER['SCRIPT_NAME'] === '/SUB_NAME/scp/login.php') {
if ($_SERVER['SCRIPT_NAME'] === '/scp/login.php') {
Now. re-pack -
phar pack -f new_phar.phar *.php
now make a copy of original
cd ../
cp auth-openid-MS.phar auth-openid-MS-original.phar
cp t/new_phar.phar auth-openid-MS.phar
The next part is you need to make sure the agent has auth "any_available_" if not already set.
8 days later
in my config, after clic on LOGIN show a BLANK screen
