I get the same thing. I have followed the guide you have linked Kevin but each time I configure the email account I get taken through the microsoft authentication process which completes then I am returned to our osticket landing page. I have to navigate to the /scp section then I check the email setup and it's still unconfigured with no green banner to say it's setup nor a red error message.
Basic Authentication Retirement for legacy protocols in Exchange Online
CPC
We had the same issue when setting this up. We found that this was caused due to not having the App Registration setup for Multitenant.
I did have it set that way originally but the new documentation https://github.com/osTicket/docs/blob/3b6b623c026c15bb267e404a4afd72b19d29f035/OAuth2/Microsoft%20Authorization%20Guide.rst showed it as single tenant. I've set it back to multi-tenant and unfortunately I'm now stuck with an issue that's being talked about here - https://forum.osticket.com/d/101542-oauth2-plugin-error. Unfortunately i'm having issues building the plugin myself and as a non-developer i'm finding it tricky to figure out so i'll just have to follow the conversation.
- Edited
If you read the documentation you linked I mention that this setting is up to your org and your setup but for the sake of the example I'll use the default option. So this should be determined by the org setting up the app. Our documentation cannot account for all cases so we just show you the defaults and let you decide appropriate configs.
Also, when you get redirected to the login page you either didn't configure something properly or you do not have URL rewriting enabled on your webserver.
Cheers.
Good day,
I have follow everything and give all the authorization but I'm still stuck in a loop at the end of the process with the system asking for approval to confirm access.
Any one with a similar problem ?
tomlaf
We are trying to get this working too at the moment. Right now we gave gloabal admin authority to the user that is granting the permission. Allowed us to get past that and system was working. Now we are trying to remove global admin permission but mail stops being collected. Need to figure out exactly what permissions are needed (as sure it wont be Global Admin!)
Thanks for all your work on adding this.
We're trying to enable it now, and followed the guide but are confused by the callback url.
It's being populated in the new form as "{our-hostname}/api/auth/oauth2" but that's failing for us, and returning as a 404 when we check it manually. And on inspecting, there's no /api/auth/ directory so we're confused how this would work.
Any help appreciated.
- Edited
Sounds like you don't have the re-write rules configured in the web.config file.
In the <system.webServer> section ensure you have the following
<rewrite>
<rules>
<rule name="HTTP api" stopProcessing="true">
<match url="^(.*/)?api/(.*)$" ignoreCase="true"/>
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="{R:1}api/http.php/{R:2}"/>
</rule>
<rule name="Site pages" stopProcessing="true">
<match url="^(.*/)?pages/(.*)$" ignoreCase="true"/>
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="{R:1}pages/index.php/{R:2}"/>
</rule>
<rule name="Staff applications" stopProcessing="true">
<match url="^(.*/)?scp/apps/(.*)$" ignoreCase="true"/>
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="{R:1}scp/apps/dispatcher.php/{R:2}"/>
</rule>
</rules>
</rewrite>- Edited
Thanks for your prompt reply. Indeed - that looks quite different to mine.
That's a good pointer, I shall dig into that. Thanks!
Edit: Actually, it looks like I had a misconfiguration in my httpd configuration that was preventing Rewrite from loading. Once solved, the url stopped being 404.
Thanks for the help.
- Edited
Using the latest 0.6 Oauth plugin, V1.17, clicking on "Config" of remote mailbox produces a blank window.
No PHP errors, IIS log just shows that a 500 was in fact thrown.
Any ideas? Not sure how to proceed on this one. We have several instances that are at risk to stop working once Microsoft's basic auth officially ceases functioning.
Do other popups and help tips work? If not then AJAX is not working properly and you need to figure that out. If it’s just this particular popup then you need to check all logs (general server logs, webserver error logs, PHP error logs, MySQL/MariaDB error logs, osTicket System Logs, Browser Console logs, etc.) for any related errors. 500 errors are very generic and hint at a deeper issue which should be logged somewhere. Check your PHP configurations to ensure you have logging enabled and have a log file set, for Apache do the same, and for MySQL do the same.
Cheers.
Hello, we are trying to upgrade to 1.17 (windows IIS and php 8.1.11). We get this error after authorizing with the mailbox user we want to IMAP fetch from. I removed our tenant identifier but not sure how to resolve this.
cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://login.microsoftonline.com/TenantIDRemoved/oauth2/v2.0/token
You’ll need to download the cacert.pen from curl, add it to your PHP install, and edit your PHP.ini file to set the full path to the file for the curl.cainfo directive. For more info please google the error or go to the link specified in the error.
Cheers.
ellisonrje In case anyone else runs into this issue it was the azure license type applied to this account. I had to have it changed from A1 to A5 and then it started working.
KevinTheJedi Thanks - that worked!
I'm having a similar issue, no matter how many times i send the app over for admin consent and approve it as an admin I will be asked to consent (even with the oauth plugin modification I followed in my previous post).
The one difference you can make however is you only need to give Application Administrator permissions to the account, not full global admin. This is enough to allow them to email account to admin consent the app themselves.
Look at my response here:
Cheers.
KevinTheJedi It seems that the old Oauth plugin (0.3) was holding on to the data for the email account somehow (probably in the database). We removed and recreated each email account in osTicket and finally, the window was populated correctly. We still aren't up and running yet, but we're down to "invalid_client". Now leaning towards some sort of misconfiguration in Azure / our osticket instance.
6 days later
Hi,
I was very big problem to activate oauth2 with microsoft. But I have additional problem - I use shared mialboxes (before oauth2 I used this shared mialboxex, but now I cannot use it).
Do You have any solutions (via powershell) to add access for aplication using this shared mailboxes?
- Edited
Not at this time no. You can customize the code but out of the box this is not possible. We do hope to add this support in the future.
Cheers.