tomlaf
We are trying to get this working too at the moment. Right now we gave gloabal admin authority to the user that is granting the permission. Allowed us to get past that and system was working. Now we are trying to remove global admin permission but mail stops being collected. Need to figure out exactly what permissions are needed (as sure it wont be Global Admin!)

  • CPC replied to this.

      Thanks for all your work on adding this.

      We're trying to enable it now, and followed the guide but are confused by the callback url.

      It's being populated in the new form as "{our-hostname}/api/auth/oauth2" but that's failing for us, and returning as a 404 when we check it manually. And on inspecting, there's no /api/auth/ directory so we're confused how this would work.

      Any help appreciated.

      Sounds like you don't have the re-write rules configured in the web.config file.

      In the <system.webServer> section ensure you have the following

          <rewrite>
        <rules>
            <rule name="HTTP api" stopProcessing="true">
                <match url="^(.*/)?api/(.*)$" ignoreCase="true"/>
                <conditions>
                    <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
                    <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
                </conditions>
                <action type="Rewrite" url="{R:1}api/http.php/{R:2}"/>
            </rule>
            <rule name="Site pages" stopProcessing="true">
                <match url="^(.*/)?pages/(.*)$" ignoreCase="true"/>
                <conditions>
                    <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
                    <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
                </conditions>
                <action type="Rewrite" url="{R:1}pages/index.php/{R:2}"/>
            </rule>
            <rule name="Staff applications" stopProcessing="true">
                <match url="^(.*/)?scp/apps/(.*)$" ignoreCase="true"/>
                <conditions>
                    <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
                    <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
                </conditions>
                <action type="Rewrite" url="{R:1}scp/apps/dispatcher.php/{R:2}"/>
            </rule>
        </rules>
    </rewrite>

        Thanks for your prompt reply. Indeed - that looks quite different to mine.

        That's a good pointer, I shall dig into that. Thanks!

        Edit: Actually, it looks like I had a misconfiguration in my httpd configuration that was preventing Rewrite from loading. Once solved, the url stopped being 404.

        Thanks for the help.

        Using the latest 0.6 Oauth plugin, V1.17, clicking on "Config" of remote mailbox produces a blank window.

        No PHP errors, IIS log just shows that a 500 was in fact thrown.

        Any ideas? Not sure how to proceed on this one. We have several instances that are at risk to stop working once Microsoft's basic auth officially ceases functioning.

          rjkunde

          Do other popups and help tips work? If not then AJAX is not working properly and you need to figure that out. If it’s just this particular popup then you need to check all logs (general server logs, webserver error logs, PHP error logs, MySQL/MariaDB error logs, osTicket System Logs, Browser Console logs, etc.) for any related errors. 500 errors are very generic and hint at a deeper issue which should be logged somewhere. Check your PHP configurations to ensure you have logging enabled and have a log file set, for Apache do the same, and for MySQL do the same.

          Cheers.

              Hello, we are trying to upgrade to 1.17 (windows IIS and php 8.1.11). We get this error after authorizing with the mailbox user we want to IMAP fetch from. I removed our tenant identifier but not sure how to resolve this.

              cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://login.microsoftonline.com/TenantIDRemoved/oauth2/v2.0/token

                geseronta

                You’ll need to download the cacert.pen from curl, add it to your PHP install, and edit your PHP.ini file to set the full path to the file for the curl.cainfo directive. For more info please google the error or go to the link specified in the error.

                Cheers.

                    ellisonrje In case anyone else runs into this issue it was the azure license type applied to this account. I had to have it changed from A1 to A5 and then it started working.

                      ChrisAnders

                      I'm having a similar issue, no matter how many times i send the app over for admin consent and approve it as an admin I will be asked to consent (even with the oauth plugin modification I followed in my previous post).

                      The one difference you can make however is you only need to give Application Administrator permissions to the account, not full global admin. This is enough to allow them to email account to admin consent the app themselves.

                          KevinTheJedi It seems that the old Oauth plugin (0.3) was holding on to the data for the email account somehow (probably in the database). We removed and recreated each email account in osTicket and finally, the window was populated correctly. We still aren't up and running yet, but we're down to "invalid_client". Now leaning towards some sort of misconfiguration in Azure / our osticket instance.

                            6 days later

                            Hi,

                            I was very big problem to activate oauth2 with microsoft. But I have additional problem - I use shared mialboxes (before oauth2 I used this shared mialboxex, but now I cannot use it).

                            Do You have any solutions (via powershell) to add access for aplication using this shared mailboxes?

                              osflake

                              Not at this time no. You can customize the code but out of the box this is not possible. We do hope to add this support in the future.

                              Cheers.

                                osflake I'm using shared mailboxes too, and had no issues setting this up following the documentation. The key thing is you need to sign in as this shared mailbox directly, not as a delegate (it also helps to temporarily allow users to grant consent to apps, as it'll be the shared mailbox accounts doing this, not your administrator account).

                                    RBGE

                                    Interesting, I must be thinking of aliases. I figured shared mailboxes don't have their own login but seems I was wrong in that assumption.

                                    Cheers.

                                        RBGE
                                        I logged in using shared mailboxes. i cannot login to shared mialboxes via outlook owa. Few days ago I logged in but today not. I try to find solutions by powershell (custom roles for shared mailboxes)