I see that too but if I use the graph URLs nothing works at all. If I change to the ones I mentioned above I at least get a valid error.
Cheers.
Basic Authentication Retirement for legacy protocols in Exchange Online
Please send an email to support [at] osticket [dot] com explaining the issue and mention that the devs sent you. From there we can schedule a call with you to help look into MS stuff. All I have is a personal Outlook account and I have to use the outlook scope urls otherwise I get AUTHENTICATE failed (when using graph urls).
Also as I mentioned when I try to setup Modern Auth and authenticate against IMAP it says MailboxNotEnabledForRESTAPI which means MS hasn't migrated my account yet so I'm unable to test.
Cheers.
- Edited
Hello @KevinTheJedi
I would like to confirm I got this to work by updating the scopes, V2.0 API and email attribute in the plugin. In fact the outlook.office365.com URLs/API had to be used instead of Graph.
class MicrosoftEmailOauth2Provider extends GenericOauth2Provider {
static $id = 'oauth2:msmail';
static $name = 'OAuth2 - Microsoft';
static $defaults = [
'urlAuthorize' => 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize',
'urlAccessToken' => 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token',
'urlResourceOwnerDetails' => 'https://outlook.office.com/api/v2.0/me',
// scopes for offline access & mail (IMAP, POP & SMTP)
'scopes' => 'offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send',
'attr_username' => 'EmailAddress', // This was "mail" before
'attr_email' => 'EmailAddress', // This was "mail" before
'attr_givenname' => 'givenname',
'attr_surname' => 'surname',
];
static $urlOptions = [
'tenant' => 'common',
'accessType' => 'offline_access',
];
}
With the https://outlook.office.com/api/v2.0/me API the email attribute is "EmailAddress" (https://outlook.office.com/api/v2.0/$metadata)
I must admit this is really confusing by Microsoft, if you use the new Graph API/scopes at all the IMAP authentication won't work (even though you successfully get an access token, but imap auth fails with "NO AUTHENTICATION FAILED"). Yet they announced the outlook.office365.com APIs will be decommissioned in November...
Edit, related issues:
https://github.com/MicrosoftDocs/office-developer-exchange-docs/issues/87#issuecomment-628590496
https://github.com/MicrosoftDocs/office-developer-exchange-docs/issues/100#issuecomment-847845126
Hello,
I'm trying to configure the OAuth2-Microsoft plugin but I'm not sure I'm using the correct data. When I save the configuration I get the message "No input file specified." back in the browser. This is the same message when I open the reidrect URI. https://[domain]/api/auth/oauth2
Anyone have an idea what's going wrong?
Thanks in advance!
yes a microsoft exchange online account
- Edited
KevinTheJedi Hi Kevin,
I think you can create a trial o365 trial account and you will have a Azure AD in the mean time.
Also you can creaate a developer account:
https://developer.microsoft.com/en-us/microsoft-365/dev-program
Exchange online. Here's my App Registration settings in Azure:
And settings in osticket:
Just a note that in the current release setting the scopes via UI does not work, also the hard coded email attribute needs to be fixed in the code: https://github.com/protich/osTicket-plugins/tree/plugins/auth-oauth2
Hi Jerer,
Thanks for your advice. I have created exactly the same app in azure but it keeps returning the message "No input file specified." when saving the oAuth2 configuration.
I only use the OAuth2 app from the osticket site. I tried to replace it with the one from github only the last step doesn't work... php -dphar.readonly=0 make.php build <plugin-folder>
- Edited
I think your issue is related to the .htaccess in the api folder not working, Are you using Apache? If so do you have AllowOverride and the rewrite module enabled? https://stackoverflow.com/a/22526144
If you are using IIS/Nginx the URL rewrites needs to be configured differently (although at least Nginx isn't officially supported).
Anyway, since the plugin has couple issues with might be just better to wait for updated version. But if you want to test the fixes I posted above, you can install the plugin without building it.
Thank you Jerer.
We use Apache. In the htaccess file I see a rewrite function but no AllowOverride.
I downloaded the github version. In which folder should I put the files?
jerer
Very thank you for your input.
I've imported and compiled your modification to the attr_username and attr_email inside the last commit of Mr. Protich but the result it's always "invalid_client". I've also setted my application to allow users from all tenants (previously was only mine, but auth was working too) but without luck (same error).
Now i'm preparing a machine to debug php and try to understand what's going on down there.
Thank you and tc
The "AllowOverride all" needs to be configured in Apache config, not in the .htaccess file. I think you should start a new thread if you still have issues with the redirect URI.
You put the files in "/include/plugins/" folder. From there you can install them directly without building (tho you still have to run php make.php hydrate).
Fin3
Not sure what is causing invalid_client error in your case, one way I could replicate this is having the redirect URI incorrect in Azure. Make sure it doesn't have any trailing /'s in Azure, it has to match exactly what is configured in osTicket.
Thank you Jerer, I have installed the plugin, but still have issues with the redirect URL. Is the conclusion correct that the Azure app and the data in the OAuth2 configuration are correct, but that the feedback to OSticket (on the redirect URL) goes wrong?
I will open a new thread for issues with the redirect URL
This issue is definitely related to AllowOverride module in Apache. You need to go to your sites-available file for the osTicket site or the main httpd.conf and change the AllowOverride module to All.
Cheers.
Yes, I was able to confirm we need to use outlook scope URLs, the v2.0 Resource Owner Endpoint, but the attribute is in fact mail. You just need to go to the User in Azure AD, edit the User, and add their email to the Contact Information Form Email Address field. They really need to get their stuff together man. I guess this is what they mean by Microsoft Hell.
Cheers.
Thank you Kevin. Do i have to change the AllowOverride none to AllowOverride All in the /etc/apache2/apache2.conf file?
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Were you able to successfully test fetching? My account is still not migrated so I cannot test IMAP/POP nor SMTP yet (unless I make a new trial account).
Cheers.