KevinTheJedi
Hi Kevin,
I am facing the same issue.
I've configure the OAuth2-Microsoft and it is save successfully.
But when I enabling the email fetching option and try to save the setting it'll show me the Configure Authentication error.
Please find the screen shot.
first Screen Shot - I've configure the OAuth2-Microsoft.
Second Screen shot - My OAuth Config parameters.
Third Screen shot - I'm trying to enable the Email Fetching but getting the Configure Authentication Error.
Okay so don’t use the /common/ urls for Authorization and Token Endpoints. Instead go to the Enterprise Applications in Azure, click Endpoints at the top, and use the v2.0 Authorization and Token URLs with /tenant-id/oauth2/v2.0/ instead of /common/oauth2/v2.0/. Then for Resource Details Endpoint instead of /api/v1.0/me use /api/v2.0/me. And lastly for scopes replace profile,email with https://graph.microsoft.com/.default.
If that doesn’t work then you might need the new build of the plugin and the new patches coming on Monday with RC2. Stay tuned!
Cheers.
Tried, but not working.
On the Endpoints list at azure i dont get OAuth 2.0 authorization endpoint (v2) with the tenant-id mine says: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
But i tried with the tenant-id and it didn't work either.
KevinTheJedi
I've tried what suggested, using right endpoints with my tenant_id, all go well 'till the modern authentication, that ask for user, password and scope accept, but unfortunately the response from auth is invalid_client.
As already suggested, there is maybe a problem on how the scope is handled during authentication process, even with
"https://graph.microsoft.com/.default" setted up the scope passed is "offline_access https://outlook.office.com/IMAP.AccessAsUser.All" as per screenshot below
@edgarnadal
As KevinTheJedi suggested, you will find the right urls with your tenentid inside your azure registration portal, in the "Endpoints" link, as seen in the image below
I apologize, we were testing a bunch of scope options and I suggested the wrong one. For the scopes use offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send - this will cover all that we need for access tokens for IMAP/POP and SMTP. You may need the new build of the Plugin and RC2 which should be released today. So if using that information and those scopes still cause issues then you'll need to wait for RC2.
I will say that I'm running into an issue with my Personal Outlook account. I get the error MailboxNotEnabledForRESTAPI - The mailbox is either inactive, soft-deleted, or is hosted on-premise. after singing in and consenting to scopes. I reached out to microsoft support and they told me this issue is on their end and that "they are working hard to resolve the issue". 
Cheers.
KevinTheJedi
Thank you very much for the reply!
Unfortunately things still doesn't work, neither with the scope you mentioned, nor the one from my endpoints (are a little bit different for azure env, they refer to graph: https://graph.microsoft.com/offline_access https://graph.microsoft.com/IMAP.AccessAsUser.All https://graph.microsoft.com/POP.AccessAsUser.All https://graph.microsoft.com/SMTP.Send)
I will check with the new plugin when ready and let you know, in the meantime if there's something I can do for you, do not hesitate to contact me.
Cheers
I'm using Azure AD and the scopes I'm using are what I mentioned above. It even says to use these scopes in their own documentation:
This is why I don't use anything MS. They are literally the worst, docs are always outdated and useless, and their support is the worst I've ever seen.
Cheers.
KevinTheJedi
Yes it's true, the msft documentation is often not up to date, even during their courses you may facing things that must be configured differently than what is written in the prodivded documentation 
Anyway this is what i find when i manually try to allow the scopes:
Hope this helps!
Cheers
I see that too but if I use the graph URLs nothing works at all. If I change to the ones I mentioned above I at least get a valid error.
Cheers.
Please send an email to support [at] osticket [dot] com explaining the issue and mention that the devs sent you. From there we can schedule a call with you to help look into MS stuff. All I have is a personal Outlook account and I have to use the outlook scope urls otherwise I get AUTHENTICATE failed (when using graph urls).
Also as I mentioned when I try to setup Modern Auth and authenticate against IMAP it says MailboxNotEnabledForRESTAPI which means MS hasn't migrated my account yet so I'm unable to test.
Cheers.
Hello @KevinTheJedi
I would like to confirm I got this to work by updating the scopes, V2.0 API and email attribute in the plugin. In fact the outlook.office365.com URLs/API had to be used instead of Graph.
class MicrosoftEmailOauth2Provider extends GenericOauth2Provider {
static $id = 'oauth2:msmail';
static $name = 'OAuth2 - Microsoft';
static $defaults = [
'urlAuthorize' => 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize',
'urlAccessToken' => 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token',
'urlResourceOwnerDetails' => 'https://outlook.office.com/api/v2.0/me',
// scopes for offline access & mail (IMAP, POP & SMTP)
'scopes' => 'offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send',
'attr_username' => 'EmailAddress', // This was "mail" before
'attr_email' => 'EmailAddress', // This was "mail" before
'attr_givenname' => 'givenname',
'attr_surname' => 'surname',
];
static $urlOptions = [
'tenant' => 'common',
'accessType' => 'offline_access',
];
}
With the https://outlook.office.com/api/v2.0/me API the email attribute is "EmailAddress" (https://outlook.office.com/api/v2.0/$metadata)
I must admit this is really confusing by Microsoft, if you use the new Graph API/scopes at all the IMAP authentication won't work (even though you successfully get an access token, but imap auth fails with "NO AUTHENTICATION FAILED"). Yet they announced the outlook.office365.com APIs will be decommissioned in November...
Edit, related issues:
https://github.com/MicrosoftDocs/office-developer-exchange-docs/issues/87#issuecomment-628590496
https://github.com/MicrosoftDocs/office-developer-exchange-docs/issues/100#issuecomment-847845126
Hello,
I'm trying to configure the OAuth2-Microsoft plugin but I'm not sure I'm using the correct data. When I save the configuration I get the message "No input file specified." back in the browser. This is the same message when I open the reidrect URI. https://[domain]/api/auth/oauth2
Anyone have an idea what's going wrong?
Thanks in advance!
yes a microsoft exchange online account
KevinTheJedi Hi Kevin,
I think you can create a trial o365 trial account and you will have a Azure AD in the mean time.
Also you can creaate a developer account:
https://developer.microsoft.com/en-us/microsoft-365/dev-program
Exchange online. Here's my App Registration settings in Azure:
And settings in osticket:
Just a note that in the current release setting the scopes via UI does not work, also the hard coded email attribute needs to be fixed in the code: https://github.com/protich/osTicket-plugins/tree/plugins/auth-oauth2
Hi Jerer,
Thanks for your advice. I have created exactly the same app in azure but it keeps returning the message "No input file specified." when saving the oAuth2 configuration.
I only use the OAuth2 app from the osticket site. I tried to replace it with the one from github only the last step doesn't work... php -dphar.readonly=0 make.php build <plugin-folder>
I think your issue is related to the .htaccess in the api folder not working, Are you using Apache? If so do you have AllowOverride and the rewrite module enabled? https://stackoverflow.com/a/22526144
If you are using IIS/Nginx the URL rewrites needs to be configured differently (although at least Nginx isn't officially supported).
Anyway, since the plugin has couple issues with might be just better to wait for updated version. But if you want to test the fixes I posted above, you can install the plugin without building it.
Thank you Jerer.
We use Apache. In the htaccess file I see a rewrite function but no AllowOverride.
I downloaded the github version. In which folder should I put the files?
jerer
Very thank you for your input.
I've imported and compiled your modification to the attr_username and attr_email inside the last commit of Mr. Protich but the result it's always "invalid_client". I've also setted my application to allow users from all tenants (previously was only mine, but auth was working too) but without luck (same error).
Now i'm preparing a machine to debug php and try to understand what's going on down there.
Thank you and tc
