[MDL-58090] OAuth 2 authentication upgrades for Moodle. - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.3
Fix Version/s: None
Component/s: Authentication
Labels:
- dev_docs_required
- triaged

Affected Branches:
MOODLE_33_STABLE
Epic Link:
Better Office Integrations
Pull from Repository:
git://github.com/damyon/moodle.git
Pull Master Branch:
~~MDL-58090~~-master
Pull Master Diff URL:
https://github.com/damyon/moodle/compare/3c45d26f58...MDL-58090-master
Documentation link:
https://docs.moodle.org/dev/OAuth2_Services
Testing Instructions:

Hide

New admin page "Site admin -> Server -> OAuth 2 Services"

Create one of each of the standard OAuth services (google, microsoft, facebook). You will need to register an OAuth 2 client with each of their APIs to get a client id and secret. Your site will need to use https. Enable the OAuth 2 Authentication plugin. See the documentation link for a guide on setting these up.

You should now be able to login using each provider.

For Google / Microsoft you should be able to connect a system account from the new admin tool. It will request "offline" access and show as connected.

Show
New admin page "Site admin -> Server -> OAuth 2 Services" Create one of each of the standard OAuth services (google, microsoft, facebook). You will need to register an OAuth 2 client with each of their APIs to get a client id and secret. Your site will need to use https. Enable the OAuth 2 Authentication plugin. See the documentation link for a guide on setting these up. You should now be able to login using each provider. For Google / Microsoft you should be able to connect a system account from the new admin tool. It will request "offline" access and show as connected.

Description

1. Improve the moodle oauth 2 library so it is compatible with several prominant OAuth APIs (Google, Microsoft, Facebook is a nice start). Some specific problems are use of multi-part form encoding for token requests and duplicating Authentication headers on every request.
2. Provide a central administration page for configuring OAuth services in a generic way (including support for service discovery with OpenID Connect)
3. Allow system wide configuration of an OAuth service account which retrieves a "refresh token" for an OAuth API - allowing the system to retrieve access tokens and use the service account as part of an API.
4. Allow incremental authorization by remembering the approved scopes and requesting re-authentication when the un un-authorized scope is requested.
5. Implement a new auth plugin that displayes the installed OAuth services in a list on the login page and will login and update the user details via OAuth.

Attachments

Issue Links

blocks

MDL-58126 Update googledocs repository to use \core\oauth2\client

Closed

caused a regression

MDL-58618 Notice when using MNET auth

Closed

MDL-77382 OAuth 2: broken error handling when denying access to scopes during authorization code flow

Closed

has a non-specific relationship to

MDL-58631 Insufficient documentation of changes in loginpage_idp_list() method

Closed

has been marked as being related by

MDL-59473 Poor Validation of Oauth2 Token Response causes a loop of redirections

Closed

will help resolve

MDL-30149 Create core oauthlib wrapper to handle OAuth centrally

Closed

(1 will help resolve)

Activity

People

Assignee:: Damyon Wiese

Reporter:: Damyon Wiese

Peer reviewer:: Juan Leyva

Participants:: Andrew Lyons, CiBoT, Damyon Wiese, Goran Josic, Helen Foster, John Okely, Juan Leyva, Marina Glancy

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 2 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 28/Feb/17 12:17 AM

Updated:: 14/Aug/23 9:28 PM

Resolved:: 19/May/17 6:20 PM