Add full Microsoft 365 and Google OAuth mail support#1261
Add full Microsoft 365 and Google OAuth mail support#1261johnnyq merged 14 commits intoitflow-org:developfrom
Conversation
- Added web-based Microsoft OAuth onboarding UI in Mail settings, including a Connect Microsoft 365 button and auto-generated callback URI display. - Added Test OAuth Token Refresh UI section. - Updated visibility logic so Test Email Sending and Test IMAP Connection show correctly for OAuth-based configs (not only host/password configs).
- Added handler to start Microsoft OAuth Authorization Code flow (oauth_connect_microsoft_mail) with state generation/validation prep. - Added handler to test OAuth token refresh from admin UI and persist refreshed tokens/expiry. - Updated IMAP test handler to support OAuth token refresh + XOAUTH2 authentication (in addition to legacy LOGIN).
- New callback endpoint to complete Microsoft OAuth web flow. - Validates admin session + OAuth state, exchanges authorization code for tokens, stores refresh/access tokens and expiry, and redirects with success/error feedback.
- Added OAuth token lifecycle helpers (expiry check, refresh, persistence). - Updated SMTP XOAUTH2 send path to automatically refresh expired/missing access tokens for Microsoft/Google providers before sending queued mail.
- Fixed email queue gating for OAuth SMTP setups by treating configured config_smtp_provider as mail-enabled, even when config_smtp_host is blank. - Restores queueing for public ticket reply emails (including “Public Comment & Email”) and related ticket notification paths.
- Added null-safe guard around folder path logging during message move failure to prevent property_exists() fatal when folder object is null.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hello & Welcome! :)
Thanks for taking the time to help improve ITFlow. We're excited to review your contributions - we'll review this PR as soon as we can!
Whilst you're waiting, please feel free to check out the forum.
Just so you know, all contributions to ITFlow are licensed under the GNU GPL. By contributing you grant us a perpetual & irrevocable license to include your work in ITFlow.
|
I should say, it goes without saying that of this PR is approved, I will update the wiki page/create new one as required to add full instructions on how to set this up, but it’s very simple! |
|
Hi @cs2000 you PR looks good overall, just a couple of things: The updates to agent/ticket.php, mail_queue.php, and ticket_email_parser.php don’t reflect the recent changes we’ve made. Could you please bring your branch up to date and merge your changes into the latest develop branch? Other than that, great work. Hopefully we can squeeze this into Friday’s release. |
|
Yeah my bad, i made changes based off of my installed version, will grab the latest changes from your dev branch and merge my changes into it |
My bad, my changes were made previously using my installed version and not the latest changes in the dev branch, i have pulled the dev branch and merged my changes with the latest codebase.
My bad, my changes were made previously using my installed version and not the latest changes in the dev branch, i have pulled the dev branch and merged my changes with the latest codebase.
|
@johnnyq current development-branch updates, and the new OAuth compatibility / queue / parser stability changes. I also re-tested after merging:
|
|
Im just reviewing the suggestions from SonarCloud and making any adjustments that are reasonable, will update the PR shortly with these changes. Its nothing major, mostly just neatness :) |
Rename multiple functions to conform to project naming rules (^[a-z][a-zA-Z0-9]*$). This is a non-functional refactor for style/CI compliance and consistency.
Removed two instances of unecessary double parentheses.
Defined a constant $settings_mail_path at the top of the file instead of duplicating "/admin/settings_mail.php" in the code multiple times.
Define a constant "MICROSOFT_OAUTH_BASE_URL" instead of duplicating "https://login.microsoftonline.com/" multiple times in the same file.
Remove duplicates of https://login.microsoftonline.com/ and make them use a constant.
|
OK @johnnyq all changes made, code has been retested locally and everything is still functional. The changes were all just neatness related really anyway, nothing which would affect functionality. The only change i didnt adopt is admin/post/settings_mail.php, SonarCube was suggesting to "Define and throw a dedicated exception instead of using a generic one". I didnt adopt it as i feel for this file, a generic Exception is acceptable because the handler immediately converts errors to flash_alert and redirects. A dedicated exception type is only worth it if we want different handling paths (e.g., OAuth config errors vs network errors vs IMAP auth errors) Anyway, PR should now be good for you to merge! I've been using this code for 48 hours now in a production environment with no issues to speak of. |
|
it looks much better another thing i noticed is mysqli_fetch_array( should be mysqli_fetch_assoc( now for way better performance and memory handling |
|
All the changes we made to agent/ticket.php will be overwritten one of the many examples is we updated many UI elements and did some more phone number formatting. |
|
Urgh, did i again use the wrong file. Let me check and get back to you ASAP, and fix that mysqli_fetch_array issue too! |
Accidentally comitted an older file.
|
Well, slightly embarassing sorry, i made changes to agent/post/ticket.php and NOT agent/ticket.php so have reverted agent/ticket.php to the one in your dev branch which also means no mysqli_fetch_array( to fix. Hopefully this is right this time! The only visual changes i made were on the Settings > Mail page, nothing on the actual tickets page, everything else was backend so yeah, sorry, i uploaded an older version of the file, all fixed now. |
|
|
Ah gotchya, Looking good, we'll keep reviewing and just maybe we can squeeze this in for tmrw release |
|
No worries, hopefully it can be squeezed in! I have another ticket/email handling change almost ready to go, but couldn’t progress on it until I was sure this was going to be accepted as it relies on this modified codebase. Any questions in the meantime just ask and as mentioned I will update the wiki once this is live. Should hopefully make a lot of people happy! |
|
awesome im gonna reel this one in for further testing |
MAN!! you make me drool 🤤 are you active on the forum by any chance? |
Either way, glad you’re excited for this change. My ex employers were heavy users of IT Glue, but wow is it expensive. My new employer wanted similar functionality so I found it flow, honestly it’s amazing for a free product. This (oauth email suppprt) was the biggest missing feature. Glad I could finish off the work that was started! looking forward to seeing the code in the next release and then il complete work on the email handling side of things. It’s nothing fancy, but will allow you to specify what happens to emails after a ticket is created using it (do nothing, move to a folder or delete). But it’s an important change for a busy helpdesk! |
3 participants
Overview
This PR improves (or actually, finishes) Microsoft 365 OAuth mail support in ITFlow by adding an in-app web authorization flow and fixing OAuth-related mail gating issues that prevented some emails from being queued/sent.
What Changed
1) New web-based Microsoft OAuth connect flow
config_mail_oauth_refresh_tokenconfig_mail_oauth_access_tokenconfig_mail_oauth_access_token_expires_atmicrosoft_oauthon successful connect.2) OAuth token refresh test in UI
3) Mail queue OAuth reliability
cron/mail_queue.phpto refresh expired OAuth access tokens and persist refreshed tokens.4) IMAP test supports OAuth auth flow
5) Ticket reply queueing fix for OAuth SMTP
agent/post/ticket.phpwhere email queueing was blocked byconfig_smtp_hostchecks.Bug Fixes Included
property_exists()calls against null target folder objects.Setup Guide (Microsoft 365 OAuth)
In Entra App Registration:
https://<your-itflow-domain>/admin/oauth_microsoft_mail_callback.phpoffline_accessopenidprofilehttps://outlook.office.com/IMAP.AccessAsUser.Allhttps://outlook.office.com/SMTP.SendIn ITFlow (Admin > Settings > Mail):
Microsoft 365 (OAuth).Validation:
cron/mail_queue.phpcron/ticket_email_parser.phpNotes
Works for Google OAuth too:
mail_queue.php- token refresh/send logic supports both 'google_oauth' and 'microsoft_oauth'.IMAP OAuth test path in
settings_mail.phpsupports both providers.Not implemented for Google in this PR:
The new web “Connect Microsoft 365” button/callback flow is Microsoft-only.
This is simply because there is no equivalent “Connect Google” web callback endpoint yet.
So Google can work with manual OAuth fields (especially refresh token), but the one-click web onboarding is currently Microsoft-only