Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-29934 Web service API Roadmap
  3. MDL-45639

Web Service for SSO (auto-login from the app to the site)

XMLWordPrintable

    • MOODLE_27_STABLE, MOODLE_31_STABLE
    • MOODLE_32_STABLE
    • MDL-45639-master
    • Hide
      1. As admin, enable "Mobile services": Plugins ► Web Services ► Mobile
      2. Create a new user account (witout any speciail privilege)
      3. Get a normal token and private token via this URL (https required, you can mock your local is_https() if you want): https://localhost/m/stable_master/login/token.php?username=u22&password=u22&service=moodle_mobile_app
      4. Now, we must be quick, we are going to get an auto-login key that is valid for 60 seconds, we need to call this WS via curl command, please, replace the token and privatetoken values with the ones from step 3.

        curl 'https://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'privatetoken=5A69Msd6nlwVCkkcRZWk9luSvAJvzhNBopfBRYn0dFbqD7DoIia6YhyTetihH4a4&wsfunction=tool_mobile_get_autologin_key&wstoken=a853b7528eac30eb9d5d3ef5c26980d9'

      5. You will get as response a key and the autologin url
      6. Point your browser (ensure that there is not user logged in Moodle), to the autologin url, replacing your key and userid: https://localhost/m/stable_master/admin/tool/mobile/autologin.php?key=f7303ab9bc1f6b8ead09521d3960b92b&userid=120
      7. Check that you are successfully logged in.
      8. Log out from Moodle site
      9. Try to access using again the same autologin.php url, you should get an error that the key is not valid
      10. Now, get another key via the curl WS call
      11. Try to log in via autologin.php but using an incorrect userid parameter, you should get an error 'invalidkey'
      12. Now, get another key via the curl WS call
      13. Wait more than 60 seconds
      14. Try to access via the autologin.php, you should get an error because the key is timed out
      15. Get another key, and now try to access via autologin php but using a different IP address (you can use Tor Browser for that), you should get an error
      16. Now, access Moodle as admin or a different user that the one you created the token for.
      17. Get a valid key and try to access via autologin.php in the same browser the other user is logged in, you will get an error because you are already logged in with a different user
      18. Finally, log in Moodle with the user you get the token for.
      19. Using a invalid key try to access via autologin.php, since you are already logged in you will be directly redirected without validating the key.
      20. Now, try to get a token and private token for the admin user like we did in 3 (you will need to delete any previous token for the admin user)
      21. You should receive the token but the private token will be null, this is because we prevent admins to generate private tokens via login/token.php
      22. In general, try to find any security hole in all the process
      Show
      As admin, enable "Mobile services": Plugins ► Web Services ► Mobile Create a new user account (witout any speciail privilege) Get a normal token and private token via this URL (https required, you can mock your local is_https() if you want): https://localhost/m/stable_master/login/token.php?username=u22&password=u22&service=moodle_mobile_app Now, we must be quick, we are going to get an auto-login key that is valid for 60 seconds, we need to call this WS via curl command, please, replace the token and privatetoken values with the ones from step 3. curl 'https://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'privatetoken=5A69Msd6nlwVCkkcRZWk9luSvAJvzhNBopfBRYn0dFbqD7DoIia6YhyTetihH4a4&wsfunction=tool_mobile_get_autologin_key&wstoken=a853b7528eac30eb9d5d3ef5c26980d9' You will get as response a key and the autologin url Point your browser (ensure that there is not user logged in Moodle), to the autologin url, replacing your key and userid: https://localhost/m/stable_master/admin/tool/mobile/autologin.php?key=f7303ab9bc1f6b8ead09521d3960b92b&userid=120 Check that you are successfully logged in. Log out from Moodle site Try to access using again the same autologin.php url, you should get an error that the key is not valid Now, get another key via the curl WS call Try to log in via autologin.php but using an incorrect userid parameter, you should get an error 'invalidkey' Now, get another key via the curl WS call Wait more than 60 seconds Try to access via the autologin.php, you should get an error because the key is timed out Get another key, and now try to access via autologin php but using a different IP address (you can use Tor Browser for that), you should get an error Now, access Moodle as admin or a different user that the one you created the token for. Get a valid key and try to access via autologin.php in the same browser the other user is logged in, you will get an error because you are already logged in with a different user Finally, log in Moodle with the user you get the token for. Using a invalid key try to access via autologin.php, since you are already logged in you will be directly redirected without validating the key. Now, try to get a token and private token for the admin user like we did in 3 (you will need to delete any previous token for the admin user) You should receive the token but the private token will be null, this is because we prevent admins to generate private tokens via login/token.php In general, try to find any security hole in all the process

      We need to enable SSO from the mobile app to a Moodle instance.

      Once a user is logged in in the app it should be able to open activities inside an iframe in the app without having to enter again his credentials

      After talking with Martin, it seems that a posible solution is to create a WebService that returns temporary "sessions tokens" that can be used to create a user-session and redirect the user to the requested page

      Notice that it will be interesting to have this functionality available for current stable (so we can avoid the 6 months period between releases and make this functionality available for people using older versions)

            jleyva Juan Leyva
            jleyva Juan Leyva
            Frédéric Massart Frédéric Massart
            David Monllaó David Monllaó
            Andrew Lyons Andrew Lyons
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.