Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-29715

tokens are used as authorization instead of authentication only.

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Won't Fix
    • Affects Version/s: 2.1.2, 2.2
    • Fix Version/s: None
    • Component/s: Web Services
    • Testing Instructions:
      Hide

      1) tokens should not be deleted when removing a user from a web service's authorized list. The token should belong to the user.

      Show
      1) tokens should not be deleted when removing a user from a web service's authorized list. The token should belong to the user.
    • Affected Branches:
      MOODLE_21_STABLE, MOODLE_22_STABLE

      Description

      At present web service tokens are displayed as linked with web services in the 'create tokens' page (admin/webservice/tokens.php) and 'security keys' page (/user/managetoken.php)
      This implies that the token is used to not only authenticate the user but to also authorize the user for this web service.

      Imo, Tokens should be used to identify a person ie: authenticate , it is akin to a username/password combination.

      • This way we could also control access based on the type of authentication used if there are more infuture (token or others).
      • using it straight away for authorization can lead to security loop holes when considering future multiple ways of authentication.
      • This could also lead to other scalability problems when many separate web services are required. How many tokens will a user need then?

      There should only be a single token ever needed to be created for each user.

      This token should be able to be created at anytime and reset anytime irregardless of web services linked.

      The token should be reused to link to separate web services, deletion/disabling of these links to web services should not require deletion of a users token! (to resolve MDL-28670 and MDL-28126)

      btw, these links should also be disabled according to other login restrictions (see MDL-28629)

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: