Bug - Default Google Mail OAuth2 template contains an error

znuny / Znuny

Znuny/Znuny LTS is a fork of the ((OTRS)) Community Edition, one of the most flexible web-based ticketing systems used for Customer Service, Help Desk, IT Service Management.

https://www.znuny.org

GNU General Public License v3.0

355 stars 85 forks source link

Bug - Default Google Mail OAuth2 template contains an error #340

Closed apathyzen closed 1 year ago

apathyzen commented 1 year ago

Environment

OS: Any
Browser: Any
Znuny version: 6.4.4

Expected behaviour

To add Gmail OAuth2 client ID and secret, then to authorize through Google's consent screen, then have no token expiration or/and refresh errors

Actual behaviour

Described here: https://community.znuny.org/viewtopic.php?f=62&t=43505

How to reproduce

Steps to reproduce the behavior:

Go to otrs/index.pl?Action=AdminOAuth2TokenManagement
Click on Add OAuth2 token configuration field
Select Google Mail
Save token configuration
Use Request new token button, authorize Znuny via Goolge Account consent screen, and see No refresh token was requested yet due to incorrect refresh token URL configuration

Additional information

URL for token by refresh token provided by the template is: https://oauth2.googleapis.com/token URL for token by refresh token should be: https://accounts.google.com/o/oauth2/token

Screenshots

rkaldung commented 1 year ago

@apathyzen From where do you get the refresh token URL? I checked the Google documentation and it is still the one provided from the template. See https://developers.google.com/identity/protocols/oauth2/web-server#exchange-authorization-code (switch to HTTP/REST to see the URL)

apathyzen commented 1 year ago

@rkaldung I've found https://accounts.google.com/o/oauth2/token in this article: https://csdcorp.com/blog/coding/oauth2-get-a-token-via-rest-google-sign-in/ We've found that it's valid by trial and error. :) Works with two test app credential entries in two different Google Cloud accounts. And there were some more broken OAuth2 entries in Znuny that we already deleted.

rkaldung commented 1 year ago

@apathyzen I set up a vanilla 6.4.5 test system with an OAuth2 configuration to fetch from a Google Workspace/GSuit account, using the template's URLs. Does it always require a week before failure, or does it sometimes happens earlier?

apathyzen commented 1 year ago

@rkaldung I didn't time how long exactly does it take to break. "A week" is more of a guess. What's your current Refresh token status? Does Refresh token for token config has expired or is not present show in otrs.log?

rkaldung commented 1 year ago

That's my (access) token status:

The refresh token is still valid and without an expiration date, not changed tha last 28 hrs.

rkaldung commented 1 year ago

@apathyzen I will close this issue and mark it with 'won't fix'. There are two reasons for this:

1.) The Google documentation clearly states that the URLs in our template are correct. 2.) I configured freshly installed Znuny 6.4.5 with the data of a newly created GMail App. Over 680 emails were fetched during the last five days with different schedules, including one where the access token expired. Renew of the token was done automatically, as expected.

We used a GSuite domain and mail account. If your setup differs, please let me know.