Hi guys, are there any solutions out there that allow email fetching via OAuth or OpenIDConnect? It could be any protocol that Office365 supports.
Currently any protocol that bypasses the two-factor authentication check is blocked in our environment. We can send emails out via OSTicket, but not fetch them.
Any help would be appreciated, if this is the wrong place to put this!
OAuth and OpenIDConnect are not email protocols... they are authentication protocols. You cannot collect mail via either of those. That being said you can log into your account(s) using them, which might let you also do things like run Outlook (2016+ and 365) to get your mail. Some applications (like Outlook 2016) can be configured to use those as their authentication method, but currently there is no way to do that in osTicket that I am aware of.
ntozier Thanks for the response! I was advised by our email team to seek out authenticating to the o365 server using those.
I would need to be able to do it through OSTicket itself, so that the system can fetch emails as tickets.
That's why I was hoping there might be some kind of modification or plugin available to accomplish this.
I did read through the source and it seems the biggest issue is the "/noauth" call, where it doesn't ask for any 2FA.
I've added the troubleshooting tag for you.
Bump, is there anyone that can help with this?
SeanZF I manage a Office365 environment its crazy easy to turn off two factor auth for one account. If security is an issue why not make it like a 30 character password?...
Helpdesk mail account cant really be a security risk.
Some things to look at but someone will have to rewirte a good part of osticket to handle this.
https://stackoverflow.com/questions/23064189/authorization-with-new-office365-api
https://github.com/OfficeDev/O365-EDU-PHP-Samples/tree/master/Basics%20of%20SSO
We also use o365 and have MFA turned on. We shut it off for the tickets account(s).
Good day.
we just receive this announcement by Microsoft :
Beginning October 13, 2020, we will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online. Note: this change does not impact SMTP AUTH
(....)
Any application using OAuth 2.0 to connect to these protocols, will continue to work without change or interruption.
Based on my understanding of the OsTicket mail fetch this mean that we will be lock out on October 13 2020 if there is no change in the way OsTicket work.
Can you confirm if I’m right ?
Thanks you.
This is over a year out, but I agree it is good to plan ahead. I have made sure that the devs saw this post so that they can plan a solution. This will affect multiple things here where I work [at least: osTicket, all our scanner/copiers, and anyone using android or ios built in mail apps for mail].
We also use office365 for our email accounts and have been polling for tickets successfully for a while now (with 2fa turned off of course) but now we just received a similar notice about our mail accounts switching over to oauth and will be looking to know if osticket will support "modern auth" or "oauth" as our IT folks referred to it.
ntozier just to let you know we had that issue with mail for iPhone and Android when we switch on the MFA. But for the vast majority of end user that have created they account with in the last year (ish) the move was without issue, the rest had to remove and re-add the account. Still a pain but the support is there.
It is relatively safe to assume that the devs will talk about it and make their own determination as to if this should be a planned feature.
Just got this email from Google. Looks like Gsuite is moving to require OAuth authentication for checking/sending email inboxes using the IMAP protocol.
Starting February 15, 2021, G Suite accounts will only allow access to apps using OAuth. Password-based access will no longer be supported.
Dear Administrator,
We’re constantly working to improve the security of your organization’s Google accounts. As part of this effort, and in consideration of the current threat landscape, we’ll be turning off access to less secure apps (LSA) — non-Google apps that can access your Google account with only a username and password, without requiring any additional verification steps. Access through only a username and password makes your account more vulnerable to hijacking attempts. Moving forward, only apps that support a more modern and secure access method called OAuth will be able to access your G Suite account.
Access to LSAs will be turned off in two stages:
June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off.
February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts.
What do I need to do?
To continue using a specific app with your G Suite accounts, users in your organization must switch to a more secure type of access called OAuth. This connection method allows apps to access accounts with a digital key instead of requiring a user to reveal their username and password. We recommend that you share the user instructions (included below) with individuals in your organization to help them make the necessary changes. Alternatively, if your organization is using custom tools, you can ask the developer of the tool to update it to use OAuth.
Came here to comment about this same email from Google. We have a little bit of time, but I want to know how to fix this down the line.
FOLLOWING:
whilst i don't need this for my personal helpdesk i do need it for a couple of NFP helpdesks i host
would even be happy to contribute a donation to get this across the line
h
