[MDL-45639] Web Service for SSO (auto-login from the app to the site) - Moodle Tracker

XML

Word

Printable

Details

Type: Sub-task
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.7, 3.1.2
Fix Version/s: 3.2
Component/s: Web Services
Labels:
- ci
- release_notes
- triaged

Affected Branches:
MOODLE_27_STABLE, MOODLE_31_STABLE
Fixed Branches:
MOODLE_32_STABLE
Pull from Repository:
git://github.com/jleyva/moodle.git
Pull Master Branch:
~~MDL-45639~~-master
Pull Master Diff URL:
https://github.com/jleyva/moodle/compare/6a69cda...MDL-45639-master
Documentation link:
https://docs.moodle.org/dev/Web_service_API_functions
Testing Instructions:
Hide

As admin, enable "Mobile services": Plugins ► Web Services ► Mobile

Create a new user account (witout any speciail privilege)

Get a normal token and private token via this URL (https required, you can mock your local is_https() if you want): https://localhost/m/stable_master/login/token.php?username=u22&password=u22&service=moodle_mobile_app

Now, we must be quick, we are going to get an auto-login key that is valid for 60 seconds, we need to call this WS via curl command, please, replace the token and privatetoken values with the ones from step 3.

curl 'https://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'privatetoken=5A69Msd6nlwVCkkcRZWk9luSvAJvzhNBopfBRYn0dFbqD7DoIia6YhyTetihH4a4&wsfunction=tool_mobile_get_autologin_key&wstoken=a853b7528eac30eb9d5d3ef5c26980d9'

You will get as response a key and the autologin url

Point your browser (ensure that there is not user logged in Moodle), to the autologin url, replacing your key and userid: https://localhost/m/stable_master/admin/tool/mobile/autologin.php?key=f7303ab9bc1f6b8ead09521d3960b92b&userid=120

Check that you are successfully logged in.

Log out from Moodle site

Try to access using again the same autologin.php url, you should get an error that the key is not valid

Now, get another key via the curl WS call

Try to log in via autologin.php but using an incorrect userid parameter, you should get an error 'invalidkey'

Now, get another key via the curl WS call

Wait more than 60 seconds

Try to access via the autologin.php, you should get an error because the key is timed out

Get another key, and now try to access via autologin php but using a different IP address (you can use Tor Browser for that), you should get an error

Now, access Moodle as admin or a different user that the one you created the token for.

Get a valid key and try to access via autologin.php in the same browser the other user is logged in, you will get an error because you are already logged in with a different user

Finally, log in Moodle with the user you get the token for.

Using a invalid key try to access via autologin.php, since you are already logged in you will be directly redirected without validating the key.

Now, try to get a token and private token for the admin user like we did in 3 (you will need to delete any previous token for the admin user)

You should receive the token but the private token will be null, this is because we prevent admins to generate private tokens via login/token.php

In general, try to find any security hole in all the process
Show
As admin, enable "Mobile services": Plugins ► Web Services ► Mobile Create a new user account (witout any speciail privilege) Get a normal token and private token via this URL (https required, you can mock your local is_https() if you want): https://localhost/m/stable_master/login/token.php?username=u22&password=u22&service=moodle_mobile_app Now, we must be quick, we are going to get an auto-login key that is valid for 60 seconds, we need to call this WS via curl command, please, replace the token and privatetoken values with the ones from step 3. curl 'https://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'privatetoken=5A69Msd6nlwVCkkcRZWk9luSvAJvzhNBopfBRYn0dFbqD7DoIia6YhyTetihH4a4&wsfunction=tool_mobile_get_autologin_key&wstoken=a853b7528eac30eb9d5d3ef5c26980d9' You will get as response a key and the autologin url Point your browser (ensure that there is not user logged in Moodle), to the autologin url, replacing your key and userid: https://localhost/m/stable_master/admin/tool/mobile/autologin.php?key=f7303ab9bc1f6b8ead09521d3960b92b&userid=120 Check that you are successfully logged in. Log out from Moodle site Try to access using again the same autologin.php url, you should get an error that the key is not valid Now, get another key via the curl WS call Try to log in via autologin.php but using an incorrect userid parameter, you should get an error 'invalidkey' Now, get another key via the curl WS call Wait more than 60 seconds Try to access via the autologin.php, you should get an error because the key is timed out Get another key, and now try to access via autologin php but using a different IP address (you can use Tor Browser for that), you should get an error Now, access Moodle as admin or a different user that the one you created the token for. Get a valid key and try to access via autologin.php in the same browser the other user is logged in, you will get an error because you are already logged in with a different user Finally, log in Moodle with the user you get the token for. Using a invalid key try to access via autologin.php, since you are already logged in you will be directly redirected without validating the key. Now, try to get a token and private token for the admin user like we did in 3 (you will need to delete any previous token for the admin user) You should receive the token but the private token will be null, this is because we prevent admins to generate private tokens via login/token.php In general, try to find any security hole in all the process

Description

We need to enable SSO from the mobile app to a Moodle instance.

Once a user is logged in in the app it should be able to open activities inside an iframe in the app without having to enter again his credentials

After talking with Martin, it seems that a posible solution is to create a WebService that returns temporary "sessions tokens" that can be used to create a user-session and redirect the user to the requested page

Notice that it will be interesting to have this functionality available for current stable (so we can avoid the 6 months period between releases and make this functionality available for people using older versions)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Moodle Mobile auto-login(1).png
110 kB
13/Oct/16 2:37 AM

Issue Links

blocks

MDL-56159 Improve how the user_not_fully_setup and auth_forcepasswordchange cases are treated

Closed

has a non-specific relationship to

MOBILE-953 SSO from app to moodle site when using non-native plugins

Closed

is blocked by

MDL-53777 Include support for login via the browser in the new Moodle Mobile admin tool

Closed

Activity

People

Assignee:: Juan Leyva

Reporter:: Juan Leyva

Peer reviewer:: Frédéric Massart

Integrator:: David Monllaó

Tester:: Andrew Lyons

Participants:: Andrew Lyons, CiBoT, Dan Poltawski, David Monllaó, Eloy Lafuente (stronk7), Frédéric Massart, Helen Foster, Juan Leyva, Martin Dougiamas

Component watchers:: Juan Leyva, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 21/May/14 4:42 AM

Updated:: 30/Jan/20 5:52 AM

Resolved:: 21/Oct/16 7:55 AM

Fix Release Date:: 5/Dec/16