Hi guys, are there any solutions out there that allow email fetching via OAuth or OpenIDConnect? It could be any protocol that Office365 supports.
Currently any protocol that bypasses the two-factor authentication check is blocked in our environment. We can send emails out via OSTicket, but not fetch them.
Any help would be appreciated, if this is the wrong place to put this!
OAuth and OpenIDConnect are not email protocols... they are authentication protocols. You cannot collect mail via either of those. That being said you can log into your account(s) using them, which might let you also do things like run Outlook (2016+ and 365) to get your mail. Some applications (like Outlook 2016) can be configured to use those as their authentication method, but currently there is no way to do that in osTicket that I am aware of.
ntozier Thanks for the response! I was advised by our email team to seek out authenticating to the o365 server using those.
I would need to be able to do it through OSTicket itself, so that the system can fetch emails as tickets.
That's why I was hoping there might be some kind of modification or plugin available to accomplish this.
I did read through the source and it seems the biggest issue is the "/noauth" call, where it doesn't ask for any 2FA.
I've added the troubleshooting tag for you.
Bump, is there anyone that can help with this?
SeanZF I manage a Office365 environment its crazy easy to turn off two factor auth for one account. If security is an issue why not make it like a 30 character password?...
Helpdesk mail account cant really be a security risk.
Some things to look at but someone will have to rewirte a good part of osticket to handle this.
https://stackoverflow.com/questions/23064189/authorization-with-new-office365-api
https://github.com/OfficeDev/O365-EDU-PHP-Samples/tree/master/Basics%20of%20SSO
We also use o365 and have MFA turned on. We shut it off for the tickets account(s).
Good day.
we just receive this announcement by Microsoft :
Beginning October 13, 2020, we will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online. Note: this change does not impact SMTP AUTH
(....)
Any application using OAuth 2.0 to connect to these protocols, will continue to work without change or interruption.
Based on my understanding of the OsTicket mail fetch this mean that we will be lock out on October 13 2020 if there is no change in the way OsTicket work.
Can you confirm if I’m right ?
Thanks you.
This is over a year out, but I agree it is good to plan ahead. I have made sure that the devs saw this post so that they can plan a solution. This will affect multiple things here where I work [at least: osTicket, all our scanner/copiers, and anyone using android or ios built in mail apps for mail].
We also use office365 for our email accounts and have been polling for tickets successfully for a while now (with 2fa turned off of course) but now we just received a similar notice about our mail accounts switching over to oauth and will be looking to know if osticket will support "modern auth" or "oauth" as our IT folks referred to it.
ntozier just to let you know we had that issue with mail for iPhone and Android when we switch on the MFA. But for the vast majority of end user that have created they account with in the last year (ish) the move was without issue, the rest had to remove and re-add the account. Still a pain but the support is there.
It is relatively safe to assume that the devs will talk about it and make their own determination as to if this should be a planned feature.
Just got this email from Google. Looks like Gsuite is moving to require OAuth authentication for checking/sending email inboxes using the IMAP protocol.
Starting February 15, 2021, G Suite accounts will only allow access to apps using OAuth. Password-based access will no longer be supported.
Dear Administrator,
We’re constantly working to improve the security of your organization’s Google accounts. As part of this effort, and in consideration of the current threat landscape, we’ll be turning off access to less secure apps (LSA) — non-Google apps that can access your Google account with only a username and password, without requiring any additional verification steps. Access through only a username and password makes your account more vulnerable to hijacking attempts. Moving forward, only apps that support a more modern and secure access method called OAuth will be able to access your G Suite account.
Access to LSAs will be turned off in two stages:
June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off.
February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts.
What do I need to do?
To continue using a specific app with your G Suite accounts, users in your organization must switch to a more secure type of access called OAuth. This connection method allows apps to access accounts with a digital key instead of requiring a user to reveal their username and password. We recommend that you share the user instructions (included below) with individuals in your organization to help them make the necessary changes. Alternatively, if your organization is using custom tools, you can ask the developer of the tool to update it to use OAuth.
Came here to comment about this same email from Google. We have a little bit of time, but I want to know how to fix this down the line.
FOLLOWING:
whilst i don't need this for my personal helpdesk i do need it for a couple of NFP helpdesks i host
would even be happy to contribute a donation to get this across the line
h
No need for donations as supporting OAuth is something on our list of Feature Requests and something we are looking to accomplish before the cutoff dates (as we use Gmail internally and this will affect us as well).
Cheers.
Good day, do you have any news on this ?
I know Microsoft has push back, but it still on the horizon ;-)
Any think we can do to help ? Provide test environnement or test a upcomming merge request maybe ?
Thanks you again for all the work !
Hi, As Tomlaf, I'm interested in knowing if there are any news on this.
Best regards,
Rosa
I just want to throw my request for this as well. Just to add on and hopefully move it up the list. We are currently unable to fetch emails due to this issue.
I just had to fight to get basic authentication turned back on for our osticket helpdesk using outlook365 with our local authority they managed it by putting an exception in but once MS turn it off those exceptions are ignored.
I was told they've extended it by 6 months because of Covid.
Either way its going to be a be turned off and schools can't use unapproved email providers
So we will be stuck with a dead helpdesk
Is there an update on the progress OSTIcket is making toward being prepared for the transition? It is coming!
The devs are working on it.
Also the change was delayed:
https://developer.microsoft.com/en-us/office/blogs/deferred-end-of-support-date-for-basic-authentication-in-exchange-online/
Yes. It is essentially the same thing, both are disabling legacy authentication and only allowing oauth2.
nesretep Ì was told in October that nowadays there's no deadline for Google Gmail. When they finally stablish a deadline I supose that there we'll be some months more till they disable legacy auth.
Any update on the Topic of OAtuth 2 to allow email fetching from Gmail, As the deadline on 15th Feb 2021 is nearing
We are still working on implementing OAuth2.0 support. As for the deadline in February, Google posted this update:
As a result, we are suspending the LSA turn-off until further notice. All previously announced timeframes no longer apply. Please be reassured that when we restart the turn-off timelines, you will still have a 12 month window from that start date to review and complete your migration.
Cheers.
KevinTheJedi Thanks for the update 
Even i had a chat with Google Support personnel yesterday
As per Google Support regarding the shutting down of Less Secure Apps
"Less Secure Apps, I'd say that this is not going to happen as of now even though you may have received an email stating otherwise"
"The reason behind basically is because of Covid-19 that it was extended"
Note:- It can be implemented at any time, I request osTicket Developers to be prepared and does not let the ship sink, keep it floating by developing oAuth2 for osTicket
Looks like your request is granted:
KevinTheJedi We are still working on implementing OAuth2.0 support.
Is there any update on this planned change to allow oAuth? I just received notice from our organization that they are going to disable Basic Authentication at the end of May, 2021. Even if Microsoft and Google extend their deadlines, I'm sure there are other organizations, like mine, that are trying to stay of the stated deadlines.
Microsoft has announced plans to disable Basic Authentication for Exchange Online for all tenants in 2021. To prepare for this change, [omitted] will require modern authentication for ALL applications, including those previously granted exceptions, by May 31, 2021.
Your application must use modern authentication to connect to Exchange Online by June 1, 2021, or it will no longer work.
Any Update on this OAuth 2.0, Because of office 365 Email account does not work
Still in progress but in the final stages of development. Below is a post by a community member on how they got osTicket working with Office365 (with forced modern auth) in the meantime:
Cheers.
Was this new feature include in the latest release of osticket that came out on the 28th of July ? My organisation started having issues with fetching new emails from Microsoft 365 email accounts last night as Microsoft disabled basic auth on my tenant.
This feature is still in development at this time.
