No refresh token OAuth 2

Moderator: crythias

Post Reply
alanlopez
Znuny newbie
Posts: 4
Joined: 15 Mar 2022, 18:28
Znuny Version: 6.3
Real Name: Alan Lopez

No refresh token OAuth 2

Post by alanlopez »

I have installed a Znuny 6.3.1 to perform the connection tests with OAuth 2 from a Google Workspace account, I have carried out the process to obtain the credentials (client id and secret id), when entering them in the OAuth Manager, I can log in no problem and when I enter the mail manager and add it with the OAuth Token configuration it works without problems, I can recover the mails of my account.

The problem is that the Google login token lasts only one hour and then you have to manually log in again with Google, which is not efficient, I have read in the Google documentation that you must obtain a refresh token and an access token so that the application can perform the refresh process automatically, I have managed to get the refresh token and an access token, however I cannot identify where I can add them within the Znuny configurations. I understood that Znuny himself did this process, however, in the OAuht administrator the legend "No refresh token was requested yet" appears, which makes me think that the refresh token must be configured, however, I have not found information about it in case it has to be configured manually. I hope someone can help me with this problem.

This error appears in the log: "Refresh token for token config with ID 2 has expired or is not present. Token must be retrieved manually via authorization code."
You do not have the required permissions to view the files attached to this post.
Alan Lopez :)
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: No refresh token OAuth 2

Post by root »

Hi Alan,

I just tried it with a new (sub)domain and it looks like this:
OAuth G Workspace.png
Can you share the summary of your OAuth consent screen (with personal data deleted)?

- Roy
You do not have the required permissions to view the files attached to this post.
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
alanlopez
Znuny newbie
Posts: 4
Joined: 15 Mar 2022, 18:28
Znuny Version: 6.3
Real Name: Alan Lopez

Re: No refresh token OAuth 2

Post by alanlopez »

Thanks for reply Toy,

Here the screenshot.

Thanks
You do not have the required permissions to view the files attached to this post.
Alan Lopez :)
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: No refresh token OAuth 2

Post by root »

Hi Alan,

Thank you for reporting. We have an issue (with a workaround) created, the fix is wip.

https://github.com/znuny/Znuny/issues/230

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
alanlopez
Znuny newbie
Posts: 4
Joined: 15 Mar 2022, 18:28
Znuny Version: 6.3
Real Name: Alan Lopez

Re: No refresh token OAuth 2

Post by alanlopez »

Thank you Roy,

I followed the github instructions, create a new client id and secret id and replace them and it worked.

regards
Alan Lopez :)
WernerM
Znuny newbie
Posts: 10
Joined: 16 Aug 2022, 15:38
Znuny Version: 6.3
Real Name: Werner Murnau

Re: No refresh token OAuth 2

Post by WernerM »

I have the same error message but with Outlook365. Github instructions are specific to Google:

"This issue could only be confirmed for Google Mail / Google Workspace OAuth"

Is there a different way to fix this in Outlook365? I just want to confirm before I ask our admins to recreate the API


Thanks
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: No refresh token OAuth 2

Post by root »

WernerM wrote: 01 Sep 2022, 15:38
Is there a different way to fix this in Outlook365? I just want to confirm before I ask our admins to recreate the API

Hi,

This depends. Do you still use 6.3.1? Then you should have the App recreated.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
WernerM
Znuny newbie
Posts: 10
Joined: 16 Aug 2022, 15:38
Znuny Version: 6.3
Real Name: Werner Murnau

Re: No refresh token OAuth 2

Post by WernerM »

Thanks for this quick reply!

We will upgrade to 6.4 and try again.
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: No refresh token OAuth 2

Post by root »

WernerM wrote: 02 Sep 2022, 11:31 Thanks for this quick reply!

We will upgrade to 6.4 and try again.
HI,

Just to be clear. Upgrading won't fix a broken record, do not expect the token works.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
WernerM
Znuny newbie
Posts: 10
Joined: 16 Aug 2022, 15:38
Znuny Version: 6.3
Real Name: Werner Murnau

Re: No refresh token OAuth 2

Post by WernerM »

ok, too bad...but now we are upgrading already. Do we have to recreate the API or only the token configuration?
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: No refresh token OAuth 2

Post by root »

WernerM wrote: 02 Sep 2022, 12:13 ok, too bad...but now we are upgrading already. Do we have to recreate the API or only the token configuration?
Hi,

I would export the token, delete and import it again. If this not work create new credentials for the app at the Azure portal.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
WernerM
Znuny newbie
Posts: 10
Joined: 16 Aug 2022, 15:38
Znuny Version: 6.3
Real Name: Werner Murnau

Re: No refresh token OAuth 2

Post by WernerM »

Upgrade is not finished yet so I have to work with 6.3 in the meantime.

When I click on "request new token" a popup redirects me to the login page and just stays there without any message. I also cannot find anything in system log. How can I do this on command line with debug option? I am looking for something to convince our Outlook admins to recreate the API....
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: No refresh token OAuth 2

Post by root »

root wrote: 02 Sep 2022, 14:33
I would export the token, delete and import it again. If this not work create new credentials for the app at the Azure portal.
Hi,

Have you tried what I recommended?
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
WernerM
Znuny newbie
Posts: 10
Joined: 16 Aug 2022, 15:38
Znuny Version: 6.3
Real Name: Werner Murnau

Re: No refresh token OAuth 2

Post by WernerM »

root wrote: 05 Sep 2022, 18:57
root wrote: 02 Sep 2022, 14:33
I would export the token, delete and import it again. If this not work create new credentials for the app at the Azure portal.
Hi,

Have you tried what I recommended?
- Roy
Hi Roy,

partially, only export, delete and import. Our admins are not happy about recreating the API, that's why I am looking for a proof that this is needed and hoped to be able to find it with some debug options since I don't see any related messages in otrs.log
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: No refresh token OAuth 2

Post by root »

WernerM wrote: 05 Sep 2022, 19:03
partially, only export, delete and import. Our admins are not happy about recreating the API, that's why I am looking for a proof that this is needed and hoped to be able to find it with some debug options since I don't see any related messages in otrs.log
Well,

What is your exact error message? I doubt that for a new imported token configuration the screen keeps blank when requesting the refresh token.
If this really is the case there must be something in the Apache error_log.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
WernerM
Znuny newbie
Posts: 10
Joined: 16 Aug 2022, 15:38
Znuny Version: 6.3
Real Name: Werner Murnau

Re: No refresh token OAuth 2

Post by WernerM »

root wrote: 05 Sep 2022, 19:20
Well,

What is your exact error message? I doubt that for a new imported token configuration the screen keeps blank when requesting the refresh token.
If this really is the case there must be something in the Apache error_log.

- Roy
found this in httpd logs:

Code: Select all

[05/Sep/2022:20:34:35 +0200] 10.244.144.140 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET /noc/tts-images/js/js-cache/ModuleJS_9292602303dda85bffe667fc722199c1.js HTTP/1.1" 506
[05/Sep/2022:20:34:42 +0200] 10.244.144.140 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET /noc/tts/get-oauth2-token-by-authorization-code.pl?code=0.AS8A2JH_......... HTTP/1.1" 4539
[05/Sep/2022:20:34:43 +0200] 10.244.144.140 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET /noc/tts-images/skins/Agent/default/css/thirdparty/ui-theme/jquery-ui.css HTTP/1.1" 4062
[05/Sep/2022:20:34:44 +0200] 10.244.144.140 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "POST /noc/tts/get-oauth2-token-by-authorization-code.pl HTTP/1.1" 4539
[05/Sep/2022:20:35:03 +0200] 10.244.144.140 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "-" -
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: No refresh token OAuth 2

Post by root »

Hi,

This is your SSL access log, not an error log.

Let's try again:
1.) Does the window stay blank when you request a new token?
2.) And, more important when I see your access log: do the system configuration settings HttpType, FQDN, and ScriptAlias match your URL?

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
WernerM
Znuny newbie
Posts: 10
Joined: 16 Aug 2022, 15:38
Znuny Version: 6.3
Real Name: Werner Murnau

Re: No refresh token OAuth 2

Post by WernerM »

last message in my httpd error_log is the startup message.

1.) when I click on "request new token"
  • a popup appears with the logon screen and URL consisting of
<HttpType>://<FQDN>/<ScriptAlias>/get-oauth2-token-by-authorization-code.pl?code=0.AS..........&state=TokenConfigID33&session_state=....
  • after login with my credentials the same screen appears again (or the old one stays), only difference is the shorter URL
<HttpType>://<FQDN>/<ScriptAlias>/get-oauth2-token-by-authorization-code.pl

2.) yes, they do. HttpType is https and the rest also matches the URL I see when requesting the token

any help is much appreciated

thanks
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: No refresh token OAuth 2

Post by root »

Hi,


Well, now we're getting along. The first problem is that you see the Znuny login, it should be the Microsoft login instead. Please set the LogLevel to debug and check after another try why you're session is not detected in the popup. Have you tried another browser, disabled adblockers, etc.?

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
WernerM
Znuny newbie
Posts: 10
Joined: 16 Aug 2022, 15:38
Znuny Version: 6.3
Real Name: Werner Murnau

Re: No refresh token OAuth 2

Post by WernerM »

Hi,
The problem might be related to the fact that we are using SSO with Microsoft and our company accounts. I will try to play around with the logins and provide debug info if this doesn’t help.


Thanks again for the quick turnaround
WernerM
Znuny newbie
Posts: 10
Joined: 16 Aug 2022, 15:38
Znuny Version: 6.3
Real Name: Werner Murnau

Re: No refresh token OAuth 2

Post by WernerM »

Hi,

when I log off Azure before I start to request the token it indeed leads me to the MS login page. After logging in I have the same situation as before: Znuny login screen appears with the long URL and afterwards again with the short one.

unfortunately I see no messages in otrs.log despite loglevel debug. But when I try to fetch mails I see some entries in otrs.log e.g. "OAuth2 token could not be retrieved."

What can be wrong with my log settings, I shall at least see something I think while trying to fetch the token.

Thanks
Post Reply