-
Bug
-
Resolution: Fixed
-
Minor
-
3.3
-
MOODLE_33_STABLE
-
MOODLE_32_STABLE, MOODLE_33_STABLE
-
In line 546-563 aprox. of lib/oauthlib.php file, when Moodle sends a token request to an oauth2 authorization server, Moodle assumes that the response content will be in json format (application/json); But it's not always like this, some auth servers respond by default with other format like xml (application/xml) or url encoded (application/x-www-form-urlencoded). when Moodle tries to decode the response with a json decoder, it fails quietly and continues with the authentication stack causing a Loop of redirections because Moodle don't find a valid token.
Steps to reproduce:
Example Oauth provider: Github
- Create a new Oauth Application with your account in https://github.com/settings/applications/new
- Copy your Client ID and Secret and use https://<your site URL>/admin/oauth2callback.php as the Authorization callback URL
- Configure in Moodle a new Oauth2 service with Client ID and Secret, whatever scopes (like user) and endpoints:
- authorization_endpoint: https://github.com/login/oauth/authorize
- token_endpoint: https://github.com/login/oauth/access_token
- userinfo_endpoint: https://api.github.com/user
- try to use this new oauth2 service in login page.
- Authorize your github account for the previously selected scopes.
Actual Result:
Loop in redirection between Moodle and Github until Github claims too many tries redirecting back to the authorization page.
Expected Result:
Normal redirection to Moodle and Linking/Creation of the account.