Microsoft Azure OAuth Redirect URI doesn't allow the query string.

[chris001]

Issue

Microsoft OAuth Redirect URL has new rules, since OAuth Login to Email was added in Suite.
The OAuth Redirect URL may not contain a query string!
Also, public (domain) URLs must be secure (https). Insecure (http) is not accepted!
In the Suite 7 + Suite 8 OAuth Email documentation steps, the Redirect URL: http://suite.mysite.tld/legacy/index.php?entryPoint=setExternalOAuthToken
…is now rejected as a Microsoft Azure OAuth Redirect URL!
A fix is needed, for all users, to get the Microsoft OAuth Redirect URL working again, and TLS certificates since https is now mandatory.

Expected Behavior

Users should be able to enter an acceptable Redirect URL to Azure, a URL that doesn't contain a Query String.
Users should be able to enter https://suite.mysite.tld/legacy/entryPoint/setExternalOAuthToken and have the Suite .htaccess rewrite it to: https://suite.mysite.tld/legacy/index.php?entryPoint=setExternalOAuthToken

Actual Behavior

Azure refuses saving Suite's OAuth Redirect URL:

Possible Fix

RewriteRule in the Apache .htaccess.
Suite should detect when it's running on publicly accessible domain: auto configure a free TLS certificate & enable HTTPS.
Or just run Suite on a server with a Virtualmin control panel, it will automatically install a free TLS certificate, https will be active, and OAuth login from a Suite server on a domain will satisfy the Microsoft requirement for https. Of course, rewriting the Redirect URL in .htaccess would also be required, for OAuth email login to work.

Steps to Reproduce

1. Login to Microsoft Azure.
2. Follow the Suite documentation on how to setup an "app" for Microsoft OAuth for email.
3. Enable for personal email accounts also. May not make any difference.
4. When you go to paste in the Redirect URL from the docs, you'll see an error box. It refuses to save the Redirect URL.

Context

1. Fails to connect to email on Microsoft email accounts!
2. Unable to test new email features such as RFC8055 One Click Unsubscribe, on Microsoft email accounts!

Your Environment

• SuiteCRM Version used: 7.14.2, 8.5.0
• Browser name and version (e.g. Chrome Version 51.0.2704.63 (64-bit)): Firefox
• Environment name and version (e.g. MySQL, PHP 7): PHP 8.1 and 8.2
• Operating System and version (e.g Ubuntu 16.04): Debian 12

[SuiteBot]

This issue has been mentioned on SuiteCRM. There might be relevant details there:

https://community.suitecrm.com/t/oauth-redirect-url-breaking-change/91715/3

[johnM2401]

Hey @chris001 !
Thanks for getting in touch with this!

Apologies, but I'm not sure I can replicate this issue.

Trying to save a few different URLs with the formats you've posted above, all seem to be accepted on the Azure side, all saving:

Perhaps there are further configurations / settings / steps that I'm missing?

I've also been successful with configuring Oauth Email in SuiteCRM 8.6

Using the redirect URI:

I see my Outlook Account's Emails:

I'm no expert with Azure/Oauth Email behaviour, so please let me know if there's anything I may have missed / misunderstood.

Thank you!

[chris001]

Microsoft updated their documentation on Azure OAuth Redirect URI Query Parameter Support.

In order to be compatible with users' Personal Microsoft email accounts (Hotmail, Xbox, Skype, etc), this PR is required, to use a Redirect URI with no query parameters.

[johnM2401]

Hey @chris001
Thank you for that, I was previously using an Organizational-only Type App registration.
I am able to replicate now after creating a Personal-type.

Marking this as a bug.

Thank you again for your time and contributions!