Thank you Jerer.
We use Apache. In the htaccess file I see a rewrite function but no AllowOverride.
I downloaded the github version. In which folder should I put the files?
Basic Authentication Retirement for legacy protocols in Exchange Online
jerer
Very thank you for your input.
I've imported and compiled your modification to the attr_username and attr_email inside the last commit of Mr. Protich but the result it's always "invalid_client". I've also setted my application to allow users from all tenants (previously was only mine, but auth was working too) but without luck (same error).
Now i'm preparing a machine to debug php and try to understand what's going on down there.
Thank you and tc
The "AllowOverride all" needs to be configured in Apache config, not in the .htaccess file. I think you should start a new thread if you still have issues with the redirect URI.
You put the files in "/include/plugins/" folder. From there you can install them directly without building (tho you still have to run php make.php hydrate).
Fin3
Not sure what is causing invalid_client error in your case, one way I could replicate this is having the redirect URI incorrect in Azure. Make sure it doesn't have any trailing /'s in Azure, it has to match exactly what is configured in osTicket.
Thank you Jerer, I have installed the plugin, but still have issues with the redirect URL. Is the conclusion correct that the Azure app and the data in the OAuth2 configuration are correct, but that the feedback to OSticket (on the redirect URL) goes wrong?
I will open a new thread for issues with the redirect URL
This issue is definitely related to AllowOverride module in Apache. You need to go to your sites-available file for the osTicket site or the main httpd.conf and change the AllowOverride module to All.
Cheers.
Yes, I was able to confirm we need to use outlook scope URLs, the v2.0 Resource Owner Endpoint, but the attribute is in fact mail. You just need to go to the User in Azure AD, edit the User, and add their email to the Contact Information Form Email Address field. They really need to get their stuff together man. I guess this is what they mean by Microsoft Hell.
Cheers.
Thank you Kevin. Do i have to change the AllowOverride none to AllowOverride All in the /etc/apache2/apache2.conf file?
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Were you able to successfully test fetching? My account is still not migrated so I cannot test IMAP/POP nor SMTP yet (unless I make a new trial account).
Cheers.
done but unfortunately get the same message when saving the OAuth2 configuration.
~# nano /etc/apache2/apache2.conf
:~# service apache2 restart
Or do I also have to adjust this on the site-available location of this specific site?
As I mentioned earlier:
You need to go to your sites-available file for the osTicket site or the main httpd.conf and change the AllowOverride module to All.
Which means you should do this in your sites-available and if you don't have that then the main config.
Cheers.
ok clear, adjusted in the main and at site level but unfortunately I keep getting the same message back.
- Edited
Yes fetching works using IMAP. Also SMTP works with oauth. Edit: POP works too.
About the mail attribute, I have the email set also in the Contact Information form but the API doesn't still return "mail" property at all. I wonder if this is a Personal vs Exchange thing or something. Also there is no "mail" property in https://outlook.office.com/api/v2.0/$metadata
Very strange as when I dumped the attributes I get from v2.0 user endpoint I got all the correct attributes as expected mail, givenname, and surname.
Cheers.
- Edited
@jerer @KevinTheJedi
Just for info, I've handled my issues, now i'm correctly fetching emails in oauth2 with the modification proposed by jerer at attr_email and attr_username in conjunction wuth the latest commit of protich
I was having two misconfigurations:
- Typo in an url rewriter of IIS
- Error in app registration configuration, where "Allow public client flows" must be setted to "No"
Hope this help someone!
Cheers
Not contributing much to the convo, but thought I'd chime in with I'm also getting the "invalid_client" issue. Have followed all of the advice here, still hitting it. Will try unpacking that .phar and trying those edits @jerer has mentioned tomorrow. It's been a long day with other "sinking ship" items 
Context: Running this in a fairly large enterprise Azure tenant w/ hybrid mail. If anyone needs me to test things on the Azure end, let me know.
- Edited
I am also getting "invalid_client" with the plugin. Im pulling my hair out on this one!! haha
Here is my OAuth2 app settings:
Here is my endpoint from Azure:
Here is my Client ID:
Here is my Secret ID:
My Redirect:
My Permissions:
Hi, Also getting "invalid_client" when saving Auth2 Config, but when I enable email fetching Error changes to "Configure Authentication"
Is there a link to the v2 oauth2.phar file?
I've tried to follow the instructions on github but I'm hitting some errors