Feedback OAUTH2 for Microsoft 365 and Google Workspaces

johnny

The latest release now supports OAUTH2 for Microsoft365 and Google Workspace Mail, we need tester feedback.

make sure to switch from

scripts/cronmailqueue.phptocron/mailqueue.php

***and ***

scripts/cronmailparser.php **to **cron/mailparser.php

in your cron

wrongecho

We probably need some docs on how to configure the app registration & whatever Googles equivalent is.

itmunky

When selecting Microsoft 365 (OAuth) from Admin > Settings > Mail … should it show relevant fields for client ID, tenant ID, app secret etc?

As mine does not, only shows IMAP username;

wrongecho

Johnny… the fields for client id, tenant and secret did make it into master, right?…

johnny

Yes, but you have to select Microsoft 365 for both smtp and imap then the OAUTH Settings will appear

itmunky

johnny

Ah! i see. I was only changing the monitoring ticket inbox settings was going to leave sending email as standard smtp while testing.

I can now see the fields after changing the SMTP option also.

I am assuming we fetch the refresh token by running the getoauthtoken.php from the browser? I attempted to do so and get a http 500 error.

johnny

I see your trying to get the refresh token directly via /plugins/PHPMailer/getoauthtoken.php

the initial refresh token should be acquired in the the Microsoft 365 Portal.

When cron mailer run it will refresh the token once expired I believe hourly so you dont have to generate another secret OAUTH key

itmunky

johnny

Thanks for the clarification. Could you provide the specific steps for obtaining the refresh token from the Microsoft 365 Portal? I'm not familiar with this method and can't find documentation on how Microsoft 365 admin portals provide OAuth2 refresh tokens directly.

Also, is the get_oauth_token.php script unnecessary with your recommended approach?

Bigbug

johnny how does one set this up with google workspace?

johnny

I'm not quite sure how to get the refresh token either, but maybe the get_oauth_token.php is necessary?

Let me know if you do figure out how to get the initial Refresh token in Microsoft 365 Admin Portal.

Im going to see if I can get the get_oauth_token.php to work.

itmunky

Successfully got the refresh token using the get_oauth_token.php script. The issue was missing OAuth2 client library dependencies causing a 500 error.

Solution steps:

Fixed dependencies - The script needed league/oauth2-google, stevenmaguire/oauth2-microsoft, and greew/oauth2-azure-provider. Installed by creating a temporary composer project and copying the vendor folder to /plugins/PHPMailer/vendor/
Azure app configuration - Set up app registration with proper redirect URI (https://domain.com/plugins/PHPMailer/get_oauth_token.php) and API permissions (Mail.Read, Mail.Send, IMAP.AccessAsUser.All, SMTP.Send)
Used "Azure" provider - In the script form, selected "Azure" (not "Microsoft") as the provider type for Microsoft 365
Standard OAuth2 flow - Entered Client ID, Secret, and Tenant ID, completed browser consent, received refresh token

Current status:

IMAP parsing: Working - Test email to support created ticket automatically
SMTP sending: Not working - Investigating OAuth2 SMTP authentication issues

Updated cron jobs to new paths as specified. Will update once SMTP sending is resolved.

johnny

Oh wow nice work!

Let me know what you find with SMTP

itmunky

You'll have to excuse the summary from Claude

Status Update: OAuth2 is functional for both IMAP and SMTP, but there's a bug preventing ticket reply emails. I am not yet sure if any other email sending functions are impacted as i have not tested yet.

Complete OAuth2 Setup Process

1. Azure App Registration

Go to Azure Portal → Azure Active Directory → App registrations
Create new registration:
- Name: ITFlow Email Integration
- Supported account types: Accounts in this organizational directory only
- Redirect URI: Web - https://yourdomain.com/plugins/PHPMailer/get_oauth_token.php
Note Client ID, Client Secret, and Tenant ID
API Permissions (delegated):
- Microsoft Graph: Mail.Read, Mail.Send
- Office 365 Exchange Online: IMAP.AccessAsUser.All, SMTP.Send
Grant admin consent

2. Fixing get_oauth_token.php Dependencies The script fails with 500 error due to missing OAuth2 client libraries:

bash

Create temp composer project to avoid conflicts

mkdir -p /tmp/oauth_deps && cd /tmp/oauth_deps
composer init --no-interaction --name="temp/oauth"
composer require league/oauth2-google stevenmaguire/oauth2-microsoft greew/oauth2-azure-provider

Copy to PHPMailer directory where the script expects them

cp -r vendor /var/www/yourdomain.com/plugins/PHPMailer/
chown -R www-data:www-data /var/www/yourdomain.com/plugins/PHPMailer/vendor/
$$

3. Generate Refresh Token

Access: https://yourdomain.com/plugins/PHPMailer/get_oauth_token.php
Select "Azure" as provider (not "Microsoft")
Enter Client ID, Secret, Tenant ID
Complete OAuth flow with the licensed mailbox account (not shared mailbox)
Copy the refresh token

4. Configure ITFlow

Settings → Mail Settings
Set both IMAP Provider and SMTP Provider to "Microsoft 365 (OAuth)"
IMAP Username: full email address
Fill OAuth fields with Azure app details and refresh token

Current Status

✅ IMAP email parsing: Working perfectly
✅ New ticket auto-reply emails: Working perfectly
❌ Ticket reply/update emails: Not working

Root Cause Analysis

The issue is that ticket reply emails aren't being queued at all due to a critical bug in the OAuth2 implementation.

The Problem: In ticket.php, the email generation logic has this check:

php

$$
if ($ticket_reply_type == 'Public' && $send_email == 1 && !empty($config_smtp_host)) {
$$

However, when using OAuth2, config_smtp_host is empty in the database:

sql

$$
SELECT config_smtp_host, config_smtp_provider FROM settings WHERE company_id = 1;
+------------------+----------------------+
| config_smtp_host | config_smtp_provider |
+------------------+----------------------+
| | microsoft_oauth |
+------------------+----------------------+
$$

Why New Ticket Emails Work vs Reply Emails Don't:

New ticket emails (add_ticket handler) only check: !empty($config_smtp_host) && $config_ticket_client_general_notifications == 1
Mail queue (mail_queue.php) automatically sets defaults for OAuth:

php

$$
if ($provider === 'microsoft_oauth') {
if (!$host) $host = 'smtp.office365.com';
$$

Ticket reply emails check !empty($config_smtp_host) before reaching the mail queue, so they never get queued

Recommendations for Fix

The OAuth2 implementation should automatically populate SMTP/IMAP host settings when a provider is selected, or the ticket reply logic should be updated to handle empty config_smtp_host when OAuth providers are configured.

Is it possible to have SMTP options separate to IMAP? This would allow the ticket email parser to still function with OAuth whilst having a dedicated SMTP server for sending until the bugs are ironed out.

johnny

it is in /cron not /scripts

Bigbug

johnny yea… i realized i'm stupid… that's why i deleted my post.. haha

digibandit

Bigbug Indeed, how?!? Also, what is this? Also, also, I volunteer to be tribute for testing if you tell me what to do!

itmunky

Sorry I am not familiar with google workspace but I imagine once you get the equivalent of "enterprise Applications" in 365 set up in google workspace the rest of the process is probably much the same.

Note as mentioned above the ticket parsing worked ok, however sending has a few bugs at the moment, which will impact both M365 and Workspace so be warned of them.