Basic Authentication Retirement for legacy protocols in Exchange Online: Page 4

Basic Authentication Retirement for legacy protocols in Exchange Online

KevinTheJedi

It will eventually be phased out by most if not all major providers but that deadline is way farther away than IMAP/POP3.

Cheers.

KevinTheJedi

Hello Everyone,

We now have the v1.17-rc1 available for download on our website! Please download, install in a test environment, and test away! If you experience any issues please open a new Issue Report detailing the issue.

A big thank you to everyone for their patience and support!

Cheers.

AdamDempsey

KevinTheJedi thank you to the whole team for all of the hard work involved!

KevinTheJedi

I would like to mention that we need help testing email authorization for MS accounts specifically. We’ve tested email authorization for Gmail (IMAP/SMTP) as well as OAuth2 agent/user authentication for Google and MS. We also need help testing POP for both Gmail and MS.

Cheers.

danielyee

I manage to upgrade my production environment from 1.16.3 to 1.17 RC1 without any hiccups. Manage to activate the OAuth2 plugin and here's where I cannot proceed further. I'm on Office365/AzureAD.

In Manage -> Plugins -> Oauth2 Client, there's an Instance tab. Do I need to manually create a new Instance? Some fields were populated automatically and I'm not sure what should I modify.

Then in Emails -> Email Addresses (select primary) -> Remote Mailbox, there's another "Config" tab next to "Authentication" after I selected "OAuth2 - Microsoft". The fields here are similar to the ones in Plugins.

Do you have a guide on how to get OAuth2 working? I have completed App registration in Azure AD, however Osticket does not show specific error message other than "Configure Authentication".

KevinTheJedi

danielyee

You need to go to osTicket, click Config next to Authentication in the email, copy your Redirect URI, go to Azure, register an app, paste your Redirect URI, create a client secret, copy the client id and client secret, go to osTicket, paste your client ID, paste your client secret, and Save Changes. This will then redirect you to Azure to authenticate and accept the scopes.

Cheers.

korali

KevinTheJedi
Hi Kevin,
I am facing the same issue.
I've configure the OAuth2-Microsoft and it is save successfully.
But when I enabling the email fetching option and try to save the setting it'll show me the Configure Authentication error.
Please find the screen shot.
first Screen Shot - I've configure the OAuth2-Microsoft.
Second Screen shot - My OAuth Config parameters.
Third Screen shot - I'm trying to enable the Email Fetching but getting the Configure Authentication Error.

KevinTheJedi

korali

Okay so don’t use the /common/ urls for Authorization and Token Endpoints. Instead go to the Enterprise Applications in Azure, click Endpoints at the top, and use the v2.0 Authorization and Token URLs with /tenant-id/oauth2/v2.0/ instead of /common/oauth2/v2.0/. Then for Resource Details Endpoint instead of /api/v1.0/me use /api/v2.0/me. And lastly for scopes replace profile,email with https://graph.microsoft.com/.default.

If that doesn’t work then you might need the new build of the plugin and the new patches coming on Monday with RC2. Stay tuned!

Cheers.

Fin3

KevinTheJedi
I've tried what suggested, using right endpoints with my tenant_id, all go well 'till the modern authentication, that ask for user, password and scope accept, but unfortunately the response from auth is invalid_client.
As already suggested, there is maybe a problem on how the scope is handled during authentication process, even with
"https://graph.microsoft.com/.default" setted up the scope passed is "offline_access https://outlook.office.com/IMAP.AccessAsUser.All" as per screenshot below

@edgarnadal
As KevinTheJedi suggested, you will find the right urls with your tenentid inside your azure registration portal, in the "Endpoints" link, as seen in the image below

edgarnadal

Tried, but not working.

On the Endpoints list at azure i dont get OAuth 2.0 authorization endpoint (v2) with the tenant-id mine says: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize

But i tried with the tenant-id and it didn't work either.

KevinTheJedi

Fin3

I apologize, we were testing a bunch of scope options and I suggested the wrong one. For the scopes use offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send - this will cover all that we need for access tokens for IMAP/POP and SMTP. You may need the new build of the Plugin and RC2 which should be released today. So if using that information and those scopes still cause issues then you'll need to wait for RC2.

I will say that I'm running into an issue with my Personal Outlook account. I get the error MailboxNotEnabledForRESTAPI - The mailbox is either inactive, soft-deleted, or is hosted on-premise. after singing in and consenting to scopes. I reached out to microsoft support and they told me this issue is on their end and that "they are working hard to resolve the issue". 🙄

Cheers.

Fin3

KevinTheJedi
Thank you very much for the reply!

Unfortunately things still doesn't work, neither with the scope you mentioned, nor the one from my endpoints (are a little bit different for azure env, they refer to graph: https://graph.microsoft.com/offline_access https://graph.microsoft.com/IMAP.AccessAsUser.All https://graph.microsoft.com/POP.AccessAsUser.All https://graph.microsoft.com/SMTP.Send)

I will check with the new plugin when ready and let you know, in the meantime if there's something I can do for you, do not hesitate to contact me.

Cheers

KevinTheJedi

Fin3

I'm using Azure AD and the scopes I'm using are what I mentioned above. It even says to use these scopes in their own documentation:

https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

This is why I don't use anything MS. They are literally the worst, docs are always outdated and useless, and their support is the worst I've ever seen.

Cheers.

Fin3

KevinTheJedi
Yes it's true, the msft documentation is often not up to date, even during their courses you may facing things that must be configured differently than what is written in the prodivded documentation 🤦‍♂️

Anyway this is what i find when i manually try to allow the scopes:

Hope this helps!

Cheers

edgarnadal

KevinTheJedi Hi Kevin,

I think you can create a trial o365 trial account and you will have a Azure AD in the mean time.

Also you can creaate a developer account:
https://developer.microsoft.com/en-us/microsoft-365/dev-program

KevinTheJedi

Fin3

I see that too but if I use the graph URLs nothing works at all. If I change to the ones I mentioned above I at least get a valid error.

Cheers.

KevinTheJedi

Fin3

Please send an email to support [at] osticket [dot] com explaining the issue and mention that the devs sent you. From there we can schedule a call with you to help look into MS stuff. All I have is a personal Outlook account and I have to use the outlook scope urls otherwise I get AUTHENTICATE failed (when using graph urls).

Also as I mentioned when I try to setup Modern Auth and authenticate against IMAP it says MailboxNotEnabledForRESTAPI which means MS hasn't migrated my account yet so I'm unable to test.

Cheers.

jerer

Hello @KevinTheJedi

I would like to confirm I got this to work by updating the scopes, V2.0 API and email attribute in the plugin. In fact the outlook.office365.com URLs/API had to be used instead of Graph.

class MicrosoftEmailOauth2Provider extends GenericOauth2Provider { static $id = 'oauth2:msmail'; static $name = 'OAuth2 - Microsoft'; static $defaults = [ 'urlAuthorize' => 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'urlAccessToken' => 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'urlResourceOwnerDetails' => 'https://outlook.office.com/api/v2.0/me', // scopes for offline access & mail (IMAP, POP & SMTP) 'scopes' => 'offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send', 'attr_username' => 'EmailAddress', // This was "mail" before 'attr_email' => 'EmailAddress', // This was "mail" before 'attr_givenname' => 'givenname', 'attr_surname' => 'surname', ]; static $urlOptions = [ 'tenant' => 'common', 'accessType' => 'offline_access', ]; }

With the https://outlook.office.com/api/v2.0/me API the email attribute is "EmailAddress" (https://outlook.office.com/api/v2.0/$metadata)

I must admit this is really confusing by Microsoft, if you use the new Graph API/scopes at all the IMAP authentication won't work (even though you successfully get an access token, but imap auth fails with "NO AUTHENTICATION FAILED"). Yet they announced the outlook.office365.com APIs will be decommissioned in November...

Fin3

jerer
What kind of microsoft account are u using? Microsoft or Exchange online?

patricksmithosticket

Hello,

I'm trying to configure the OAuth2-Microsoft plugin but I'm not sure I'm using the correct data. When I save the configuration I get the message "No input file specified." back in the browser. This is the same message when I open the reidrect URI. https://[domain]/api/auth/oauth2

Anyone have an idea what's going wrong?

Thanks in advance!

jerer

Fin3

Exchange online. Here's my App Registration settings in Azure:

And settings in osticket:

Just a note that in the current release setting the scopes via UI does not work, also the hard coded email attribute needs to be fixed in the code: https://github.com/protich/osTicket-plugins/tree/plugins/auth-oauth2

patricksmithosticket

yes a microsoft exchange online account

« Previous Page Next Page »