KevinTheJedi
Thank you very much for the reply!

Unfortunately things still doesn't work, neither with the scope you mentioned, nor the one from my endpoints (are a little bit different for azure env, they refer to graph: https://graph.microsoft.com/offline_access https://graph.microsoft.com/IMAP.AccessAsUser.All https://graph.microsoft.com/POP.AccessAsUser.All https://graph.microsoft.com/SMTP.Send)

I will check with the new plugin when ready and let you know, in the meantime if there's something I can do for you, do not hesitate to contact me.

Cheers

      Fin3

      I'm using Azure AD and the scopes I'm using are what I mentioned above. It even says to use these scopes in their own documentation:

      This is why I don't use anything MS. They are literally the worst, docs are always outdated and useless, and their support is the worst I've ever seen.

      Cheers.

          KevinTheJedi
          Yes it's true, the msft documentation is often not up to date, even during their courses you may facing things that must be configured differently than what is written in the prodivded documentation 🤦‍♂️

          Anyway this is what i find when i manually try to allow the scopes:

          Hope this helps!

          Cheers

              Fin3

              I see that too but if I use the graph URLs nothing works at all. If I change to the ones I mentioned above I at least get a valid error.

              Cheers.

                Fin3

                Please send an email to support [at] osticket [dot] com explaining the issue and mention that the devs sent you. From there we can schedule a call with you to help look into MS stuff. All I have is a personal Outlook account and I have to use the outlook scope urls otherwise I get AUTHENTICATE failed (when using graph urls).

                Also as I mentioned when I try to setup Modern Auth and authenticate against IMAP it says MailboxNotEnabledForRESTAPI which means MS hasn't migrated my account yet so I'm unable to test.

                Cheers.

                  Hello @KevinTheJedi

                  I would like to confirm I got this to work by updating the scopes, V2.0 API and email attribute in the plugin. In fact the outlook.office365.com URLs/API had to be used instead of Graph.

                  class MicrosoftEmailOauth2Provider extends GenericOauth2Provider {
                  static $id = 'oauth2:msmail';
                  static $name = 'OAuth2 - Microsoft';
                  static $defaults = [
                  'urlAuthorize' => 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize',
                  'urlAccessToken' => 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token',
                  'urlResourceOwnerDetails' => 'https://outlook.office.com/api/v2.0/me',
                  // scopes for offline access & mail (IMAP, POP & SMTP)
                  'scopes' => 'offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send',
                  'attr_username' => 'EmailAddress', // This was "mail" before
                  'attr_email' => 'EmailAddress', // This was "mail" before
                  'attr_givenname' => 'givenname',
                  'attr_surname' => 'surname',
                  ];
                  static $urlOptions = [
                  'tenant' => 'common',
                  'accessType' => 'offline_access',
                  ];
                  }

                  With the https://outlook.office.com/api/v2.0/me API the email attribute is "EmailAddress" (https://outlook.office.com/api/v2.0/$metadata)

                  I must admit this is really confusing by Microsoft, if you use the new Graph API/scopes at all the IMAP authentication won't work (even though you successfully get an access token, but imap auth fails with "NO AUTHENTICATION FAILED"). Yet they announced the outlook.office365.com APIs will be decommissioned in November...

                  Edit, related issues:
                  https://github.com/MicrosoftDocs/office-developer-exchange-docs/issues/87#issuecomment-628590496
                  https://github.com/MicrosoftDocs/office-developer-exchange-docs/issues/100#issuecomment-847845126

                  • Fin3 replied to this.

                    Hello,

                    I'm trying to configure the OAuth2-Microsoft plugin but I'm not sure I'm using the correct data. When I save the configuration I get the message "No input file specified." back in the browser. This is the same message when I open the reidrect URI. https://[domain]/api/auth/oauth2

                    Anyone have an idea what's going wrong?

                    Thanks in advance!

                    jerer
                    What kind of microsoft account are u using? Microsoft or Exchange online?

                        Hi Jerer,

                        Thanks for your advice. I have created exactly the same app in azure but it keeps returning the message "No input file specified." when saving the oAuth2 configuration.

                        I only use the OAuth2 app from the osticket site. I tried to replace it with the one from github only the last step doesn't work... php -dphar.readonly=0 make.php build <plugin-folder>

                          patricksmithosticket

                          I think your issue is related to the .htaccess in the api folder not working, Are you using Apache? If so do you have AllowOverride and the rewrite module enabled? https://stackoverflow.com/a/22526144

                          If you are using IIS/Nginx the URL rewrites needs to be configured differently (although at least Nginx isn't officially supported).

                          Anyway, since the plugin has couple issues with might be just better to wait for updated version. But if you want to test the fixes I posted above, you can install the plugin without building it.

                            Thank you Jerer.

                            We use Apache. In the htaccess file I see a rewrite function but no AllowOverride.

                            I downloaded the github version. In which folder should I put the files?

                              jerer
                              Very thank you for your input.
                              I've imported and compiled your modification to the attr_username and attr_email inside the last commit of Mr. Protich but the result it's always "invalid_client". I've also setted my application to allow users from all tenants (previously was only mine, but auth was working too) but without luck (same error).
                              Now i'm preparing a machine to debug php and try to understand what's going on down there.

                              Thank you and tc

                                  patricksmithosticket

                                  The "AllowOverride all" needs to be configured in Apache config, not in the .htaccess file. I think you should start a new thread if you still have issues with the redirect URI.

                                  You put the files in "/include/plugins/" folder. From there you can install them directly without building (tho you still have to run php make.php hydrate).

                                  Fin3
                                  Not sure what is causing invalid_client error in your case, one way I could replicate this is having the redirect URI incorrect in Azure. Make sure it doesn't have any trailing /'s in Azure, it has to match exactly what is configured in osTicket.

                                  • Fin3 replied to this.

                                        jerer
                                        I suppose that return uri is ok, i've tried with /osticket/ as per your installation and it return on a 404 page, so i removed it and still go to invelid_client.
                                        I've quite finished to build up a develop machine, i'll let you know!

                                        Thank you

                                          Thank you Jerer, I have installed the plugin, but still have issues with the redirect URL. Is the conclusion correct that the Azure app and the data in the OAuth2 configuration are correct, but that the feedback to OSticket (on the redirect URL) goes wrong?

                                          I will open a new thread for issues with the redirect URL

                                            patricksmithosticket

                                            This issue is definitely related to AllowOverride module in Apache. You need to go to your sites-available file for the osTicket site or the main httpd.conf and change the AllowOverride module to All.

                                            Cheers.

                                              @jerer

                                              Yes, I was able to confirm we need to use outlook scope URLs, the v2.0 Resource Owner Endpoint, but the attribute is in fact mail. You just need to go to the User in Azure AD, edit the User, and add their email to the Contact Information Form Email Address field. They really need to get their stuff together man. I guess this is what they mean by Microsoft Hell.

                                              Cheers.