Basic Authentication Retirement for legacy protocols in Exchange Online: Page 11

Basic Authentication Retirement for legacy protocols in Exchange Online

rjkunde

Looks potentially related to not sending intermediate certs. Not sure if I have to set certificate paths in PHP, I thought ACME/Let's Encrypt handled it. Still looking.

rjkunde

Resolved: cURL error 60: SSL certificate problem: unable to get local issuer certificate
Solution: Download https://curl.haxx.se/ca/cacert.pem (new CA list from CURL), place in:

Then add to PHP.ini, and reboot web server:

New error: invalid_client

mbanyard

rjkunde

What versions do you have installed?

osTicket
oauth2 Plugin
PHP

Are you running the phar version of the oauth2 plugin?

Also try rebooting the server or running IISRESET from an elevated PowerShell prompt

KevinTheJedi

rjkunde

You can follow this guide to make sure you did everything correctly:

https://github.com/osTicket/docs/blob/3b6b623c026c15bb267e404a4afd72b19d29f035/OAuth2/Microsoft%20Authorization%20Guide.rst

Cheers.

rjkunde

Rebooted server, no change: invalid_client
Versions:
osTicket (v1.17-rc4)
Oauth2 Client 0.3
PHP 8.1.10
Windows Server 2019 Standard
IIS 10.0.17763.1

Not sure on phar or not, I didn't actually install the plugin, someone else did. I can confirm though.

caharkness

KevinTheJedi This guide worked out for me. After a day's worth of struggle and fighting with everything from having the right PHP version installed all the way to getting a successful connection to outlook.office365.com's IMAP service (on port 993) via the Microsoft OAuth2 authentication (plugin version 0.5), I wanted to leave a few notes for the next guy that may be struggling with this:

If you're on PHP 7.x and osTicket 1.15.8, get PHP 8.0 working first. Specifically 8.0. Upgrade to osTicket 1.16.3 by copying the contents of the "upload" directory over the contents of the existing 1.15.8 installation. As in a folder merge, overwriting any existing files. Update your filesystem permissions as needed if you are doing this through WinSCP as root (www-data or whatever webserver user needs permissions)
Once you can verify that 1.16.3 is working (after going through the upgrade in the web interface) it's time to do the same thing with the 1.17 RC4 "upload" directory. Merge everything with the 1.16.3 installation overwriting all conflicting files. This is one of my many struggles. Apparently a fresh install of 1.17 RC4 does not work with the database still having data from 1.16.3? After that merge/copy/overwrite, be sure to update file permissions as needed.
Unsure how this goes on Windows servers but for my case in a Debian 11 install with apache2, I had to tell apache2 to read the .htaccess files and enable the rewrite module. In the apache2.conf file, there might be a few lines that say "AllowOverride None". Those lines need to read "AllowOverride all". You also need the rewrite module enabled, it's usually enabled via "a2enmod rewrite".
Follow this guide I am replying to exactly. (https://github.com/osTicket/docs/blob/3b6b623c026c15bb267e404a4afd72b19d29f035/OAuth2/Microsoft%20Authorization%20Guide.rst) Meaning create a new Azure app. I believe my issue was that I had created my Azure app a while back and something was different about the JSON that comes back from the user details "/me" endpoint.

mbanyard

Ah, the plugin is now on v0.6
Please update it and test again.

rjkunde

Thanks @mbanyard and @KevinTheJedi I'll try updating the client this afternoon and see what happens.

rjkunde

So latest plugin version seems to be 0.5, and we're using the phar version. But using the new plugin throws a 500 and the modal window doesn't populate. To get 0.6, do I need to compile myself from the github repo?

Any ideas?

KevinTheJedi

rjkunde

At the moment yes; when stable is released the plugin on our website will be updated. You can actually download the raw folder/files from github, put the auth-oauth2 folder in the include/plugins/ directory, go to the database and go to the plugins table, change the install_path from plugins/auth-oauth2.phar to just plugins/auth-oauth2, update isphar from 1 to 0, and you should be good.

Cheers.

rjkunde

Swapping back to the old plugin doesn't resolve it. I'm going to replace all of the core files and start fresh.

rjkunde

KevinTheJedi Is this the updated plugin?
https://github.com/osTicket/osTicket-plugins/blob/develop/auth-oauth/plugin.php
The version says .1. I tested again with OAuth2 plugin 0.3, I can click the edit configuration just fine. If I uninstall it, and install 0.5 from the website, I receive 500 errors and a blank modal (no php or IIS errors that I can see). I'll gladly try what you recommended but I don't see 0.6 listed anywhere.

KevinTheJedi

rjkunde

No the oauth2 plugin isn’t merged yet so it’s a pull request:

https://github.com/osTicket/osTicket-plugins/pull/231

Cheers.

nmunk

Hi guys, we are now two days out from the Oct 1 basic auth cutoff, do we yet have a date for 1.17 stable release? Additionally when configuring in our environment, attempting to configure the OAuth2 plugin always requests admin consent, and never successfully configures. Is this a known issue? Cheers.

KevinTheJedi

nmunk

Should be releasing stable tomorrow. We have a guide available here that you can follow:

https://github.com/osTicket/docs/blob/3b6b623c026c15bb267e404a4afd72b19d29f035/OAuth2/Microsoft%20Authorization%20Guide.rst

Cheers.

CPC

nmunk

I get the same thing. I have followed the guide you have linked Kevin but each time I configure the email account I get taken through the microsoft authentication process which completes then I am returned to our osticket landing page. I have to navigate to the /scp section then I check the email setup and it's still unconfigured with no green banner to say it's setup nor a red error message.

ChrisAnders

Morning! Any update on this please?

pchittock

CPC
We had the same issue when setting this up. We found that this was caused due to not having the App Registration setup for Multitenant.

CPC

pchittock

I did have it set that way originally but the new documentation https://github.com/osTicket/docs/blob/3b6b623c026c15bb267e404a4afd72b19d29f035/OAuth2/Microsoft%20Authorization%20Guide.rst showed it as single tenant. I've set it back to multi-tenant and unfortunately I'm now stuck with an issue that's being talked about here - https://forum.osticket.com/d/101542-oauth2-plugin-error. Unfortunately i'm having issues building the plugin myself and as a non-developer i'm finding it tricky to figure out so i'll just have to follow the conversation.

KevinTheJedi

CPC

If you read the documentation you linked I mention that this setting is up to your org and your setup but for the sake of the example I'll use the default option. So this should be determined by the org setting up the app. Our documentation cannot account for all cases so we just show you the defaults and let you decide appropriate configs.

Also, when you get redirected to the login page you either didn't configure something properly or you do not have URL rewriting enabled on your webserver.

Cheers.

« Previous Page Next Page »