Swapping back to the old plugin doesn't resolve it. I'm going to replace all of the core files and start fresh.
Basic Authentication Retirement for legacy protocols in Exchange Online
- Edited
At the moment yes; when stable is released the plugin on our website will be updated. You can actually download the raw folder/files from github, put the auth-oauth2 folder in the include/plugins/ directory, go to the database and go to the plugins table, change the install_path from plugins/auth-oauth2.phar to just plugins/auth-oauth2, update isphar from 1 to 0, and you should be good.
Cheers.
- Edited
KevinTheJedi Is this the updated plugin?
https://github.com/osTicket/osTicket-plugins/blob/develop/auth-oauth/plugin.php
The version says .1. I tested again with OAuth2 plugin 0.3, I can click the edit configuration just fine. If I uninstall it, and install 0.5 from the website, I receive 500 errors and a blank modal (no php or IIS errors that I can see). I'll gladly try what you recommended but I don't see 0.6 listed anywhere.
No the oauth2 plugin isn’t merged yet so it’s a pull request:
Cheers.
KevinTheJedi This guide worked out for me. After a day's worth of struggle and fighting with everything from having the right PHP version installed all the way to getting a successful connection to outlook.office365.com's IMAP service (on port 993) via the Microsoft OAuth2 authentication (plugin version 0.5), I wanted to leave a few notes for the next guy that may be struggling with this:
If you're on PHP 7.x and osTicket 1.15.8, get PHP 8.0 working first. Specifically 8.0. Upgrade to osTicket 1.16.3 by copying the contents of the "upload" directory over the contents of the existing 1.15.8 installation. As in a folder merge, overwriting any existing files. Update your filesystem permissions as needed if you are doing this through WinSCP as root (www-data or whatever webserver user needs permissions)
Once you can verify that 1.16.3 is working (after going through the upgrade in the web interface) it's time to do the same thing with the 1.17 RC4 "upload" directory. Merge everything with the 1.16.3 installation overwriting all conflicting files. This is one of my many struggles. Apparently a fresh install of 1.17 RC4 does not work with the database still having data from 1.16.3? After that merge/copy/overwrite, be sure to update file permissions as needed.
Unsure how this goes on Windows servers but for my case in a Debian 11 install with apache2, I had to tell apache2 to read the .htaccess files and enable the rewrite module. In the apache2.conf file, there might be a few lines that say "AllowOverride None". Those lines need to read "AllowOverride all". You also need the rewrite module enabled, it's usually enabled via "a2enmod rewrite".
Follow this guide I am replying to exactly. (https://github.com/osTicket/docs/blob/3b6b623c026c15bb267e404a4afd72b19d29f035/OAuth2/Microsoft%20Authorization%20Guide.rst) Meaning create a new Azure app. I believe my issue was that I had created my Azure app a while back and something was different about the JSON that comes back from the user details "/me" endpoint.
Hi guys, we are now two days out from the Oct 1 basic auth cutoff, do we yet have a date for 1.17 stable release? Additionally when configuring in our environment, attempting to configure the OAuth2 plugin always requests admin consent, and never successfully configures. Is this a known issue? Cheers.
Should be releasing stable tomorrow. We have a guide available here that you can follow:
Cheers.
Morning! Any update on this please?
I get the same thing. I have followed the guide you have linked Kevin but each time I configure the email account I get taken through the microsoft authentication process which completes then I am returned to our osticket landing page. I have to navigate to the /scp section then I check the email setup and it's still unconfigured with no green banner to say it's setup nor a red error message.
CPC
We had the same issue when setting this up. We found that this was caused due to not having the App Registration setup for Multitenant.
I did have it set that way originally but the new documentation https://github.com/osTicket/docs/blob/3b6b623c026c15bb267e404a4afd72b19d29f035/OAuth2/Microsoft%20Authorization%20Guide.rst showed it as single tenant. I've set it back to multi-tenant and unfortunately I'm now stuck with an issue that's being talked about here - https://forum.osticket.com/d/101542-oauth2-plugin-error. Unfortunately i'm having issues building the plugin myself and as a non-developer i'm finding it tricky to figure out so i'll just have to follow the conversation.
- Edited
If you read the documentation you linked I mention that this setting is up to your org and your setup but for the sake of the example I'll use the default option. So this should be determined by the org setting up the app. Our documentation cannot account for all cases so we just show you the defaults and let you decide appropriate configs.
Also, when you get redirected to the login page you either didn't configure something properly or you do not have URL rewriting enabled on your webserver.
Cheers.
Good day,
I have follow everything and give all the authorization but I'm still stuck in a loop at the end of the process with the system asking for approval to confirm access.
Any one with a similar problem ?
tomlaf
We are trying to get this working too at the moment. Right now we gave gloabal admin authority to the user that is granting the permission. Allowed us to get past that and system was working. Now we are trying to remove global admin permission but mail stops being collected. Need to figure out exactly what permissions are needed (as sure it wont be Global Admin!)
Thanks for all your work on adding this.
We're trying to enable it now, and followed the guide but are confused by the callback url.
It's being populated in the new form as "{our-hostname}/api/auth/oauth2" but that's failing for us, and returning as a 404 when we check it manually. And on inspecting, there's no /api/auth/ directory so we're confused how this would work.
Any help appreciated.
- Edited
Sounds like you don't have the re-write rules configured in the web.config file.
In the <system.webServer> section ensure you have the following
<rewrite>
<rules>
<rule name="HTTP api" stopProcessing="true">
<match url="^(.*/)?api/(.*)$" ignoreCase="true"/>
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="{R:1}api/http.php/{R:2}"/>
</rule>
<rule name="Site pages" stopProcessing="true">
<match url="^(.*/)?pages/(.*)$" ignoreCase="true"/>
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="{R:1}pages/index.php/{R:2}"/>
</rule>
<rule name="Staff applications" stopProcessing="true">
<match url="^(.*/)?scp/apps/(.*)$" ignoreCase="true"/>
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="{R:1}scp/apps/dispatcher.php/{R:2}"/>
</rule>
</rules>
</rewrite>- Edited
Thanks for your prompt reply. Indeed - that looks quite different to mine.
That's a good pointer, I shall dig into that. Thanks!
Edit: Actually, it looks like I had a misconfiguration in my httpd configuration that was preventing Rewrite from loading. Once solved, the url stopped being 404.
Thanks for the help.
- Edited
Using the latest 0.6 Oauth plugin, V1.17, clicking on "Config" of remote mailbox produces a blank window.
No PHP errors, IIS log just shows that a 500 was in fact thrown.
Any ideas? Not sure how to proceed on this one. We have several instances that are at risk to stop working once Microsoft's basic auth officially ceases functioning.
Do other popups and help tips work? If not then AJAX is not working properly and you need to figure that out. If it’s just this particular popup then you need to check all logs (general server logs, webserver error logs, PHP error logs, MySQL/MariaDB error logs, osTicket System Logs, Browser Console logs, etc.) for any related errors. 500 errors are very generic and hint at a deeper issue which should be logged somewhere. Check your PHP configurations to ensure you have logging enabled and have a log file set, for Apache do the same, and for MySQL do the same.
Cheers.
Hello, we are trying to upgrade to 1.17 (windows IIS and php 8.1.11). We get this error after authorizing with the mailbox user we want to IMAP fetch from. I removed our tenant identifier but not sure how to resolve this.
cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://login.microsoftonline.com/TenantIDRemoved/oauth2/v2.0/token