OK Progress on this, I was using a browser that had my credentials cached for SharePoint and it was trying to use those to authenticate. Switching to a different browser, i was able to get the correct credentials in for the account but got a cert error after that, similar to the one above but not the same:

cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://login.microsoftonline.com/common/oauth2/v2.0/token

gkowalski

So the :

Allowoverride All
RewriteEngine on

were all that were needed for Apache to properly process the request. We're stuck at

invalid_cert

with no errors in the Mickysoft or apache side of things .

      gkowalski

      If it’s the same error as @blueyeguy posted you will have to visit the link in the error and follow the steps listed to address the issue.

      Cheers.

        Are there any additional requirements to run this on IIS? I have URL rewrite installed, and what I think are the correct settings in Azure. When I hit "submit" on the idp config section in osTicket, it takes me to the Microsoft O365 auth page, then "permissions requested", I hit accept, then get immediately bounced back to the web server with a 404 - File or Directory not found. The url looks to contain a fully formed auth token too. Any pointers on what to check here, I'm a little stuck.

          rjkunde

          Thanks the error I got when I didn't fully have rewrite rules enabled properly ( I have apache )

          Allowoverride All
          RewriteEngine on

            You didn't have to create any specific rules though right? I have IIS URL Rewrite installed, but the rules are blank.

              rjkunde

              Nah with Apache it uses the api/.htaccess file to rewrite the URL. IIS might need custom rules so you can try converting the .htaccess rules to IIS rules, set them up, and retest.

              If so let us know and we can add them to the upcoming documentation.

              Cheers.

                  KevinTheJedi Here's what I see for .htaccess files. Should all of these rewrite rules be added in IIS? I don't think I've had to manually add them in the past.

                      rjkunde

                      No typically you don’t have to but I’m just curious if adding the API .htaccess rules would resolve the issue for you.

                      Cheers.

                        gkowalski Where did you enable this? If it is the .htaccess which one or what directory does it go in? On the 365 side, which settings are needed? It would be helpful for some kind of documentation to be put together for how to do this, or if I can figure it out I would be happy to toss something together with a step-by-step.

                            Mitchell-GMIC I realized I must have only had a partial install or something because none of the .htaccess files were present in my web server, however they are present in my local copy of the folders. When I added the .htaccess file to the api folder I now get a different error:

                            This is coming up after I have logged in to Office 365.

                            The URL bar shows this: https://helpdeskfancyurl.com/api/auth/oauth2?error=invalid_request&error_description=AADSTS50194%3a

                            So when researching what that error means, it appears Microsoft says I need to configure my app registration as multi-tenant. I am all sorts of confused here. Any help would be appreciated. If it is best to split this off in to another thread let me know and I would be happy to do that as well.

                                Mitchell-GMIC

                                Are you trying to setup a personal email address or a business account one with a custom domain tenant? After fighting with MS for almost a month they finally told me that they do not allow OAuth2 support with personal emails unless you setup a custom domain and a new tenant reflecting that.

                                Cheers.

                                  rjkunde I'm getting the same error also with IIS. I have the URL Rewrite module installed but no rules.

                                    @ntozier

                                    Any thoughts here? I know normal API requests work on IIS so any reason why new API urls (using same base url) wouldn't work?

                                    Cheers.

                                    I'm a new user to osTicket and huge thank you to those supporting it. I am having an error when trying to get a token with oauth2 plugin. I go through setting up the app registration in azure, copied the application id, registration token, granted permissions for the graph api's in KevinTheJedi's instructions (followed them to a T). The error i'm getting is "No input file specified" when requesting a token. I have apache2, rewrite engine on, allowoverride all etc. I am running the latest 17RC4 with the newest plugin for oath2. I even added the directives for rewrite engine on and allowoverride all in the global config. If you have any ideas please help - I've searched all over for fixes and have been working on it for quite a while.

                                      jiggs
                                      These settings have worked for me, if you still have an issue, you should open your own thread and post your server setup details

                                      email Address Attribute part, you have different, based on your AD settings

                                      Client Id: *
                                      IdP Client / Application Identifier

                                      Client Secret:
                                      IdP Client Secret

                                      Scopes: *
                                      Comma or Space separated scopes depending on IdP requirements
                                      offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send

                                      Authorization Endpoint: *
                                      Authorization URL
                                      https://login.microsoftonline.com/common/oauth2/v2.0/authorize

                                      Token Endpoint: *
                                      Access Token URL
                                      https://login.microsoftonline.com/common/oauth2/v2.0/token

                                      Resource Details Endpoint: *
                                      User Details URL
                                      https://outlook.office.com/api/v2.0/me

                                      Email Address Attribute: *
                                      Please consult your provider docs for the correct attribute to use
                                      emailAddress

                                      Callback Endpoint: *
                                      Redirect Uri
                                      https://YourSupportTicketAddress.com/api/auth/oauth2

                                        jiggs

                                        You definitely don’t have URL Rewriting enabled properly. Please review Apache documentation on how to enable URL Rewriting. Once you make the change you must restart Apache.

                                        Cheers.

                                          4 days later

                                          @JeffAv No luck on my end yet. I'm going to try what @KevinTheJedi said and manually create the rules present in \osticket\api as rules in IIS. Please do let me know if you find a way around this.

                                            rjkunde
                                            Compare the default web.config file with your web.config file and ensure you have the following section in it under the <system.webServer> section

                                                <rewrite>
        <rules>
            <rule name="HTTP api" stopProcessing="true">
                <match url="^(.*/)?api/(.*)$" ignoreCase="true"/>
                <conditions>
                    <add input="{REQUEST_FILENAME}" matchType="IsFile"
                        ignoreCase="false" negate="true" />
                    <add input="{REQUEST_FILENAME}" matchType="IsDirectory"
                        ignoreCase="false" negate="true" />
                </conditions>
                <action type="Rewrite" url="{R:1}api/http.php/{R:2}"/>
            </rule>
            <rule name="Site pages" stopProcessing="true">
                <match url="^(.*/)?pages/(.*)$" ignoreCase="true"/>
                <conditions>
                    <add input="{REQUEST_FILENAME}" matchType="IsFile"
                        ignoreCase="false" negate="true" />
                    <add input="{REQUEST_FILENAME}" matchType="IsDirectory"
                        ignoreCase="false" negate="true" />
                </conditions>
                <action type="Rewrite" url="{R:1}pages/index.php/{R:2}"/>
            </rule>
            <rule name="Staff applications" stopProcessing="true">
                <match url="^(.*/)?scp/apps/(.*)$" ignoreCase="true"/>
                <conditions>
                    <add input="{REQUEST_FILENAME}" matchType="IsFile"
                        ignoreCase="false" negate="true" />
                    <add input="{REQUEST_FILENAME}" matchType="IsDirectory"
                        ignoreCase="false" negate="true" />
                </conditions>
                <action type="Rewrite" url="{R:1}scp/apps/dispatcher.php/{R:2}"/>
            </rule>
        </rules>
    </rewrite>

                                            Hope that helps you.