jerer
Very thank you for your input.
I've imported and compiled your modification to the attr_username and attr_email inside the last commit of Mr. Protich but the result it's always "invalid_client". I've also setted my application to allow users from all tenants (previously was only mine, but auth was working too) but without luck (same error).
Now i'm preparing a machine to debug php and try to understand what's going on down there.

Thank you and tc

      patricksmithosticket

      The "AllowOverride all" needs to be configured in Apache config, not in the .htaccess file. I think you should start a new thread if you still have issues with the redirect URI.

      You put the files in "/include/plugins/" folder. From there you can install them directly without building (tho you still have to run php make.php hydrate).

      Fin3
      Not sure what is causing invalid_client error in your case, one way I could replicate this is having the redirect URI incorrect in Azure. Make sure it doesn't have any trailing /'s in Azure, it has to match exactly what is configured in osTicket.

      • Fin3 replied to this.

            jerer
            I suppose that return uri is ok, i've tried with /osticket/ as per your installation and it return on a 404 page, so i removed it and still go to invelid_client.
            I've quite finished to build up a develop machine, i'll let you know!

            Thank you

              Thank you Jerer, I have installed the plugin, but still have issues with the redirect URL. Is the conclusion correct that the Azure app and the data in the OAuth2 configuration are correct, but that the feedback to OSticket (on the redirect URL) goes wrong?

              I will open a new thread for issues with the redirect URL

                patricksmithosticket

                This issue is definitely related to AllowOverride module in Apache. You need to go to your sites-available file for the osTicket site or the main httpd.conf and change the AllowOverride module to All.

                Cheers.

                  @jerer

                  Yes, I was able to confirm we need to use outlook scope URLs, the v2.0 Resource Owner Endpoint, but the attribute is in fact mail. You just need to go to the User in Azure AD, edit the User, and add their email to the Contact Information Form Email Address field. They really need to get their stuff together man. I guess this is what they mean by Microsoft Hell.

                  Cheers.

                  Thank you Kevin. Do i have to change the AllowOverride none to AllowOverride All in the /etc/apache2/apache2.conf file?

                  <Directory /var/www/>
                  Options Indexes FollowSymLinks
                  AllowOverride All
                  Require all granted
                  </Directory>

                    @jerer

                    Were you able to successfully test fetching? My account is still not migrated so I cannot test IMAP/POP nor SMTP yet (unless I make a new trial account).

                    Cheers.

                      done but unfortunately get the same message when saving the OAuth2 configuration.

                      ~# nano /etc/apache2/apache2.conf
                      :~# service apache2 restart

                      Or do I also have to adjust this on the site-available location of this specific site?

                        patricksmithosticket

                        As I mentioned earlier:

                        You need to go to your sites-available file for the osTicket site or the main httpd.conf and change the AllowOverride module to All.

                        Which means you should do this in your sites-available and if you don't have that then the main config.

                        Cheers.

                          ok clear, adjusted in the main and at site level but unfortunately I keep getting the same message back.

                          KevinTheJedi

                          Yes fetching works using IMAP. Also SMTP works with oauth. Edit: POP works too.

                          About the mail attribute, I have the email set also in the Contact Information form but the API doesn't still return "mail" property at all. I wonder if this is a Personal vs Exchange thing or something. Also there is no "mail" property in https://outlook.office.com/api/v2.0/$metadata

                              jerer

                              Very strange as when I dumped the attributes I get from v2.0 user endpoint I got all the correct attributes as expected mail, givenname, and surname.

                              Cheers.

                                @jerer @KevinTheJedi
                                Just for info, I've handled my issues, now i'm correctly fetching emails in oauth2 with the modification proposed by jerer at attr_email and attr_username in conjunction wuth the latest commit of protich
                                I was having two misconfigurations:

                                1. Typo in an url rewriter of IIS
                                2. Error in app registration configuration, where "Allow public client flows" must be setted to "No"

                                Hope this help someone!

                                Cheers

                                Not contributing much to the convo, but thought I'd chime in with I'm also getting the "invalid_client" issue. Have followed all of the advice here, still hitting it. Will try unpacking that .phar and trying those edits @jerer has mentioned tomorrow. It's been a long day with other "sinking ship" items 😅

                                Context: Running this in a fairly large enterprise Azure tenant w/ hybrid mail. If anyone needs me to test things on the Azure end, let me know.

                                I am also getting "invalid_client" with the plugin. Im pulling my hair out on this one!! haha

                                Here is my OAuth2 app settings:

                                Here is my endpoint from Azure:

                                Here is my Client ID:

                                Here is my Secret ID:

                                My Redirect:

                                My Permissions:

                                Hi, Also getting "invalid_client" when saving Auth2 Config, but when I enable email fetching Error changes to "Configure Authentication"


                                Is there a link to the v2 oauth2.phar file?

                                I've tried to follow the instructions on github but I'm hitting some errors

                                  Andy_B

                                  No, we will build and provide the new plugin once RC2 is released. You are welcome to get the source code for the plugin and hydrate and build it yourself.

                                  Cheers.