jerer
I suppose that return uri is ok, i've tried with /osticket/ as per your installation and it return on a 404 page, so i removed it and still go to invelid_client.
I've quite finished to build up a develop machine, i'll let you know!

Thank you

    Thank you Jerer, I have installed the plugin, but still have issues with the redirect URL. Is the conclusion correct that the Azure app and the data in the OAuth2 configuration are correct, but that the feedback to OSticket (on the redirect URL) goes wrong?

    I will open a new thread for issues with the redirect URL

      patricksmithosticket

      This issue is definitely related to AllowOverride module in Apache. You need to go to your sites-available file for the osTicket site or the main httpd.conf and change the AllowOverride module to All.

      Cheers.

        @jerer

        Yes, I was able to confirm we need to use outlook scope URLs, the v2.0 Resource Owner Endpoint, but the attribute is in fact mail. You just need to go to the User in Azure AD, edit the User, and add their email to the Contact Information Form Email Address field. They really need to get their stuff together man. I guess this is what they mean by Microsoft Hell.

        Cheers.

        Thank you Kevin. Do i have to change the AllowOverride none to AllowOverride All in the /etc/apache2/apache2.conf file?

        <Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
        </Directory>

          @jerer

          Were you able to successfully test fetching? My account is still not migrated so I cannot test IMAP/POP nor SMTP yet (unless I make a new trial account).

          Cheers.

            done but unfortunately get the same message when saving the OAuth2 configuration.

            ~# nano /etc/apache2/apache2.conf
            :~# service apache2 restart

            Or do I also have to adjust this on the site-available location of this specific site?

              patricksmithosticket

              As I mentioned earlier:

              You need to go to your sites-available file for the osTicket site or the main httpd.conf and change the AllowOverride module to All.

              Which means you should do this in your sites-available and if you don't have that then the main config.

              Cheers.

                ok clear, adjusted in the main and at site level but unfortunately I keep getting the same message back.

                KevinTheJedi

                Yes fetching works using IMAP. Also SMTP works with oauth. Edit: POP works too.

                About the mail attribute, I have the email set also in the Contact Information form but the API doesn't still return "mail" property at all. I wonder if this is a Personal vs Exchange thing or something. Also there is no "mail" property in https://outlook.office.com/api/v2.0/$metadata

                    jerer

                    Very strange as when I dumped the attributes I get from v2.0 user endpoint I got all the correct attributes as expected mail, givenname, and surname.

                    Cheers.

                      @jerer @KevinTheJedi
                      Just for info, I've handled my issues, now i'm correctly fetching emails in oauth2 with the modification proposed by jerer at attr_email and attr_username in conjunction wuth the latest commit of protich
                      I was having two misconfigurations:

                      1. Typo in an url rewriter of IIS
                      2. Error in app registration configuration, where "Allow public client flows" must be setted to "No"

                      Hope this help someone!

                      Cheers

                      Not contributing much to the convo, but thought I'd chime in with I'm also getting the "invalid_client" issue. Have followed all of the advice here, still hitting it. Will try unpacking that .phar and trying those edits @jerer has mentioned tomorrow. It's been a long day with other "sinking ship" items 😅

                      Context: Running this in a fairly large enterprise Azure tenant w/ hybrid mail. If anyone needs me to test things on the Azure end, let me know.

                      I am also getting "invalid_client" with the plugin. Im pulling my hair out on this one!! haha

                      Here is my OAuth2 app settings:

                      Here is my endpoint from Azure:

                      Here is my Client ID:

                      Here is my Secret ID:

                      My Redirect:

                      My Permissions:

                      Hi, Also getting "invalid_client" when saving Auth2 Config, but when I enable email fetching Error changes to "Configure Authentication"


                      Is there a link to the v2 oauth2.phar file?

                      I've tried to follow the instructions on github but I'm hitting some errors

                        Andy_B

                        No, we will build and provide the new plugin once RC2 is released. You are welcome to get the source code for the plugin and hydrate and build it yourself.

                        Cheers.

                          @KevinTheJedi Is Outlook v2.0 API being deprecated (and decommissioned soon) going to be addressed in RC2/stable?

                          • I think the API usage could be made optional since it shouldn't be really needed when used for IMAP/POP/SMTP.
                          • The alternative is to use Graph API, but this requires getting another access token because Microsoft doesn't support Graph+outlook.office.com scopes in a single access token.

                            jerer

                            For now just Modern Auth via IMAP/POP and SMTP protocols. If they restrict fetching to the graph api then people are screwed. If that’s the case then you’d need a library/sdk for every provider to use their specific API which is not feasible. They should allow IMAP/POP and SMTP protocols for OAuth2. Unless I’m misinterpreting what you are saying.

                            Cheers.