Basic Authentication Retirement for legacy protocols in Exchange Online: Page 11

Basic Authentication Retirement for legacy protocols in Exchange Online

rjkunde

Swapping back to the old plugin doesn't resolve it. I'm going to replace all of the core files and start fresh.

KevinTheJedi

At the moment yes; when stable is released the plugin on our website will be updated. You can actually download the raw folder/files from github, put the auth-oauth2 folder in the include/plugins/ directory, go to the database and go to the plugins table, change the install_path from plugins/auth-oauth2.phar to just plugins/auth-oauth2, update isphar from 1 to 0, and you should be good.

Cheers.

rjkunde

KevinTheJedi Is this the updated plugin?
https://github.com/osTicket/osTicket-plugins/blob/develop/auth-oauth/plugin.php
The version says .1. I tested again with OAuth2 plugin 0.3, I can click the edit configuration just fine. If I uninstall it, and install 0.5 from the website, I receive 500 errors and a blank modal (no php or IIS errors that I can see). I'll gladly try what you recommended but I don't see 0.6 listed anywhere.

KevinTheJedi

rjkunde

No the oauth2 plugin isn’t merged yet so it’s a pull request:

https://github.com/osTicket/osTicket-plugins/pull/231

Cheers.

caharkness

KevinTheJedi This guide worked out for me. After a day's worth of struggle and fighting with everything from having the right PHP version installed all the way to getting a successful connection to outlook.office365.com's IMAP service (on port 993) via the Microsoft OAuth2 authentication (plugin version 0.5), I wanted to leave a few notes for the next guy that may be struggling with this:

If you're on PHP 7.x and osTicket 1.15.8, get PHP 8.0 working first. Specifically 8.0. Upgrade to osTicket 1.16.3 by copying the contents of the "upload" directory over the contents of the existing 1.15.8 installation. As in a folder merge, overwriting any existing files. Update your filesystem permissions as needed if you are doing this through WinSCP as root (www-data or whatever webserver user needs permissions)
Once you can verify that 1.16.3 is working (after going through the upgrade in the web interface) it's time to do the same thing with the 1.17 RC4 "upload" directory. Merge everything with the 1.16.3 installation overwriting all conflicting files. This is one of my many struggles. Apparently a fresh install of 1.17 RC4 does not work with the database still having data from 1.16.3? After that merge/copy/overwrite, be sure to update file permissions as needed.
Unsure how this goes on Windows servers but for my case in a Debian 11 install with apache2, I had to tell apache2 to read the .htaccess files and enable the rewrite module. In the apache2.conf file, there might be a few lines that say "AllowOverride None". Those lines need to read "AllowOverride all". You also need the rewrite module enabled, it's usually enabled via "a2enmod rewrite".
Follow this guide I am replying to exactly. (https://github.com/osTicket/docs/blob/3b6b623c026c15bb267e404a4afd72b19d29f035/OAuth2/Microsoft%20Authorization%20Guide.rst) Meaning create a new Azure app. I believe my issue was that I had created my Azure app a while back and something was different about the JSON that comes back from the user details "/me" endpoint.

nmunk

Hi guys, we are now two days out from the Oct 1 basic auth cutoff, do we yet have a date for 1.17 stable release? Additionally when configuring in our environment, attempting to configure the OAuth2 plugin always requests admin consent, and never successfully configures. Is this a known issue? Cheers.

KevinTheJedi

nmunk

Should be releasing stable tomorrow. We have a guide available here that you can follow:

https://github.com/osTicket/docs/blob/3b6b623c026c15bb267e404a4afd72b19d29f035/OAuth2/Microsoft%20Authorization%20Guide.rst

Cheers.

CPC

nmunk

I get the same thing. I have followed the guide you have linked Kevin but each time I configure the email account I get taken through the microsoft authentication process which completes then I am returned to our osticket landing page. I have to navigate to the /scp section then I check the email setup and it's still unconfigured with no green banner to say it's setup nor a red error message.

ChrisAnders

Morning! Any update on this please?

pchittock

CPC
We had the same issue when setting this up. We found that this was caused due to not having the App Registration setup for Multitenant.

CPC

pchittock

I did have it set that way originally but the new documentation https://github.com/osTicket/docs/blob/3b6b623c026c15bb267e404a4afd72b19d29f035/OAuth2/Microsoft%20Authorization%20Guide.rst showed it as single tenant. I've set it back to multi-tenant and unfortunately I'm now stuck with an issue that's being talked about here - https://forum.osticket.com/d/101542-oauth2-plugin-error. Unfortunately i'm having issues building the plugin myself and as a non-developer i'm finding it tricky to figure out so i'll just have to follow the conversation.

KevinTheJedi

CPC

If you read the documentation you linked I mention that this setting is up to your org and your setup but for the sake of the example I'll use the default option. So this should be determined by the org setting up the app. Our documentation cannot account for all cases so we just show you the defaults and let you decide appropriate configs.

Also, when you get redirected to the login page you either didn't configure something properly or you do not have URL rewriting enabled on your webserver.

Cheers.

tomlaf

Good day,
I have follow everything and give all the authorization but I'm still stuck in a loop at the end of the process with the system asking for approval to confirm access.
Any one with a similar problem ?

ChrisAnders

tomlaf
We are trying to get this working too at the moment. Right now we gave gloabal admin authority to the user that is granting the permission. Allowed us to get past that and system was working. Now we are trying to remove global admin permission but mail stops being collected. Need to figure out exactly what permissions are needed (as sure it wont be Global Admin!)

CPC

ChrisAnders

I'm having a similar issue, no matter how many times i send the app over for admin consent and approve it as an admin I will be asked to consent (even with the oauth plugin modification I followed in my previous post).

The one difference you can make however is you only need to give Application Administrator permissions to the account, not full global admin. This is enough to allow them to email account to admin consent the app themselves.

digdilem

Thanks for all your work on adding this.

We're trying to enable it now, and followed the guide but are confused by the callback url.

It's being populated in the new form as "{our-hostname}/api/auth/oauth2" but that's failing for us, and returning as a 404 when we check it manually. And on inspecting, there's no /api/auth/ directory so we're confused how this would work.

Any help appreciated.

mbanyard

Sounds like you don't have the re-write rules configured in the web.config file.

In the <system.webServer> section ensure you have the following

    <rewrite>
        <rules>
            <rule name="HTTP api" stopProcessing="true">
                <match url="^(.*/)?api/(.*)$" ignoreCase="true"/>
                <conditions>
                    <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
                    <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
                </conditions>
                <action type="Rewrite" url="{R:1}api/http.php/{R:2}"/>
            </rule>
            <rule name="Site pages" stopProcessing="true">
                <match url="^(.*/)?pages/(.*)$" ignoreCase="true"/>
                <conditions>
                    <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
                    <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
                </conditions>
                <action type="Rewrite" url="{R:1}pages/index.php/{R:2}"/>
            </rule>
            <rule name="Staff applications" stopProcessing="true">
                <match url="^(.*/)?scp/apps/(.*)$" ignoreCase="true"/>
                <conditions>
                    <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
                    <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
                </conditions>
                <action type="Rewrite" url="{R:1}scp/apps/dispatcher.php/{R:2}"/>
            </rule>
        </rules>
    </rewrite>

dclausing

mbanyard, Thank you for the snippet. I migrated over from Apache on Ubuntu to Windows Server with IIS 10 and was pulling my hair out trying to get oAuth2 working, additionally, I had delete my original email profile and create a new one. Once I added the snipped to my web.config and created the new profile, the oAuth2 worked without error. Thank you all for the fantastic work you do and to the support community! My config is using Google Email in a Google for Workspace Environment for anyone that was curious.

digdilem

Thanks for your prompt reply. Indeed - that looks quite different to mine.

That's a good pointer, I shall dig into that. Thanks!

Edit: Actually, it looks like I had a misconfiguration in my httpd configuration that was preventing Rewrite from loading. Once solved, the url stopped being 404.

Thanks for the help.

rjkunde

Using the latest 0.6 Oauth plugin, V1.17, clicking on "Config" of remote mailbox produces a blank window.

No PHP errors, IIS log just shows that a 500 was in fact thrown.

Any ideas? Not sure how to proceed on this one. We have several instances that are at risk to stop working once Microsoft's basic auth officially ceases functioning.

KevinTheJedi

rjkunde

Do other popups and help tips work? If not then AJAX is not working properly and you need to figure that out. If it’s just this particular popup then you need to check all logs (general server logs, webserver error logs, PHP error logs, MySQL/MariaDB error logs, osTicket System Logs, Browser Console logs, etc.) for any related errors. 500 errors are very generic and hint at a deeper issue which should be logged somewhere. Check your PHP configurations to ensure you have logging enabled and have a log file set, for Apache do the same, and for MySQL do the same.

Cheers.

rjkunde

KevinTheJedi It seems that the old Oauth plugin (0.3) was holding on to the data for the email account somehow (probably in the database). We removed and recreated each email account in osTicket and finally, the window was populated correctly. We still aren't up and running yet, but we're down to "invalid_client". Now leaning towards some sort of misconfiguration in Azure / our osticket instance.

geseronta

Hello, we are trying to upgrade to 1.17 (windows IIS and php 8.1.11). We get this error after authorizing with the mailbox user we want to IMAP fetch from. I removed our tenant identifier but not sure how to resolve this.

cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://login.microsoftonline.com/TenantIDRemoved/oauth2/v2.0/token

KevinTheJedi

geseronta

You’ll need to download the cacert.pen from curl, add it to your PHP install, and edit your PHP.ini file to set the full path to the file for the curl.cainfo directive. For more info please google the error or go to the link specified in the error.

Cheers.

« Previous Page Next Page »