Bug - OAuth2 Config ID Causing invalid_grant or invalid_client (Microsoft Exchange Online)

[Vip3rLi0n]

Environment

• Tested OS: Ubuntu 22.04, CentOS Stream 9, Kali Linux 2023.1
• Tested Browser: Google Chrome 113.0.5672.63 / Firefox 111.0.1
• Tested Znuny version: 6.5.1, 7.0.3, 7.0.4

Expected behaviour

It should received the OAuth2 token as the configuration are properly configured.

Actual behaviour

It will give Error: invalid_grant or Error: invalid_client on the configured OAuth2. This only happens with Microsoft Exchange Online/Azure. Once the configuration are not correct, it will keep giving the same error despite the configuration fixed.

How to reproduce

Steps to reproduce the behavior:

1. Go to '/index.pl?Action=AdminOAuth2TokenManagement;'.
2. Click on 'Add OAuth2 token configuration'.
3. Choose 'Microsoft Exchange Online'.
4. Configure the OAuth with false information/credentials.
5. Save and Finish.
6. Click on 'Request new Token' or 'Refresh' button before the 'Delete' button.
7. Once received the error of misconfiguration, edit the OAuth2 configuration with the proper configuration.
8. Save and Finish.
9. Click on 'Request new Token' or 'Refresh' button before the 'Delete' button.
10. See Errors.

Additional information

Error log:
Backend ERROR: OTRS-CGI-18 Perl: 5.34.0 OS: linux Time: Wed May 10 18:31:48 2023

 Message: Error requesting token for token config ID 2 with authorization code 'REDACTED'. Error: invalid_client

 RemoteAddress: 104.28.205.198
 RequestURI: /otrs/get-oauth2-token-by-authorization-code.pl?code=REDACTED&state=TokenConfigID2&session_state=e6dc73e7-099c-403e-be41-9002a9d6edc2

 Traceback (49120): 
   Module: Kernel::Output::HTML::Layout::Error Line: 1038
   Module: Kernel::Output::HTML::Layout::ErrorScreen Line: 1019
   Module: Kernel::Modules::AdminOAuth2TokenManagement::_RequestTokenByAuthorizationCode Line: 120
   Module: Kernel::Modules::AdminOAuth2TokenManagement::Run Line: 53
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 1144
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_get_2doauth2_2dtoken_2dby_2dauthorization_2dcode_2epl::handler Line: 52
   Module: (eval) (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
   Module: ModPerl::Registry::handler (v1.99) Line: 32

Method to bypass the bug:

1. Click on 'Add OAuth2 token configuration'.
2. Choose 'Microsoft Exchange Online'.
3. Enter the proper OAuth2 configuration.
4. Save and Finish.
5. Set the previous OAuth2 configuration to 'invalid'.
6. Click on 'Request new Token' or 'Refresh' button before the 'Delete' button.
7. Work as intended.

Screenshots

[Mirkk]

Thanks! Same invalid_client error, same "workaround" bypasses the bug. I just hat a wrong return address at the first try, and it seems that something incorrect gets saved. Definitively a bug to be corrected. I have V. 6.5.2.

[Vip3rLi0n]

Update:

• Any changes to the azure will cause the token no longer able to refresh the token, despite no changes related to the credentials inside Znuny.

Error:

• Similar as in the picture, except it will return this in the end: Error: interaction_required

Bypass method for this error:

• Similar as above, create a new OAuth2 Token Configuration and copy the previous credentials and information to the new one.

Image:

[Andrew-Staves-Activ]

We see the same - invalid_client error - as the original report in v6.5.3.

[k0ssi]

I just ran into the same error receiving "invalid_grant" error although all currently stored values ​​were correct. Turned out this must be an bug appears when you change the client secret after initial save. I had a copy paste error when creating the initial entry which I fixed afterwords. which results in an "invalid_grant" until i deleted the settings and created new one. This behaviour is also mentioned within this thread back in 2022 https://community.znuny.org/viewtopic.php?t=43247 i am running 7.0.19