Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59473

Poor Validation of Oauth2 Token Response causes a loop of redirections

XMLWordPrintable

    • MOODLE_33_STABLE
    • MOODLE_32_STABLE, MOODLE_33_STABLE
    • Hide

      Master and 3.3

      1. Create a new Oauth Application with your account in https://github.com/settings/applications/new
      2. Use https://<your site URL>/admin/oauth2callback.php as the Authorization callback URL
      3. Copy your Client ID and Secret and set Service base URL to https://api.github.com/
      4. Tick "Show on login page"
      5. Configure in Moodle a new Oauth2 service with Client ID and Secret, whatever scopes (like user) and endpoints:
      6. try to use this new oauth2 service in login page.
      7. Authorize your github account for the previously selected scopes.
      8. Normal redirection to Moodle and Linking/Creation of the account.

      3.2

      This test requires the Google Docs repository to be enabled and a Google Docs account for use in testing.

      1. Login as a student and go to a forum.
      2. Add a new discussion topic and click the Add button to add an attachment.
      3. Choose Google Docs in the file picker then click the Login button.
      4. Grant access to your Google account.
      5. Select a file then click the 'Post to forum' button.
      6. Check that the Google Docs file is shown as an attachment to the post.
      7. Try downloading the file.
      Show
      Master and 3.3 Create a new Oauth Application with your account in https://github.com/settings/applications/new Use https://<your site URL>/admin/oauth2callback.php as the Authorization callback URL Copy your Client ID and Secret and set Service base URL to https://api.github.com/ Tick "Show on login page" Configure in Moodle a new Oauth2 service with Client ID and Secret, whatever scopes (like user) and endpoints: authorization_endpoint: https://github.com/login/oauth/authorize token_endpoint: https://github.com/login/oauth/access_token userinfo_endpoint: https://api.github.com/user try to use this new oauth2 service in login page. Authorize your github account for the previously selected scopes. Normal redirection to Moodle and Linking/Creation of the account. 3.2 This test requires the Google Docs repository to be enabled and a Google Docs account for use in testing. Login as a student and go to a forum. Add a new discussion topic and click the Add button to add an attachment. Choose Google Docs in the file picker then click the Login button. Grant access to your Google account. Select a file then click the 'Post to forum' button. Check that the Google Docs file is shown as an attachment to the post. Try downloading the file.

      In line 546-563 aprox. of lib/oauthlib.php file,  when Moodle sends a token request to an oauth2 authorization server, Moodle assumes that the response content will be in json format (application/json); But it's not always like this, some auth servers respond by default with other format like xml (application/xml) or url encoded (application/x-www-form-urlencoded). when Moodle tries to decode the response with a json decoder, it fails quietly and continues with the authentication stack causing a Loop of redirections because Moodle don't find a valid token.

      Steps to reproduce:

      Example Oauth provider: Github

      1. Create a new Oauth Application with your account in https://github.com/settings/applications/new
      2. Copy your Client ID and Secret and use https://<your site URL>/admin/oauth2callback.php as the Authorization callback URL
      3. Configure in Moodle a new Oauth2 service with Client ID and Secret, whatever scopes (like user) and endpoints:
      4. try to use this new oauth2 service in login page.
      5. Authorize your github account for the previously selected scopes.

      Actual Result:

      Loop in redirection between Moodle and Github until Github claims too many tries redirecting back to the authorization page.

      Expected Result:

      Normal redirection to Moodle and Linking/Creation of the account.

            sytabaresa sytabaresa
            sytabaresa sytabaresa
            John Okely John Okely
            Andrew Lyons Andrew Lyons
            Damyon Wiese Damyon Wiese
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.