Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
3.3, 3.8.2, Future Dev
-
MOODLE_33_STABLE, MOODLE_38_STABLE
-
MOODLE_310_STABLE
-
MDL-59510-master -
Hide
Testing requirements
This test requires:
- ngrok
- docker
- a Microsoft account
- a Google account
Setup
We're going to test the behaviour of three different repositories: Google Drive, Microsoft OneDrive and Nextcloud.
This first part deals with setting these repositories up on a newly installed site.
Google drive setup
- Create a new Moodle site.
- Go to the developer console at https://console.developers.google.com and sign in with your personal Google account. Accounts tied to an organisation may not be permitted to create new projects.
- In the left pane, click 'Credentials'. If you're prompted to create a new project (i.e. you haven't created one in the past), then do so now.
- Click 'Create credentials' at the top and select 'OAuth client id'
- Set the following:
- 'Application type' to 'Web application'
- 'Name' to 'Moodle'
- Under 'Authorized redirect URIs' click 'Add URI'
- Enter 'http://LOCALHOST-MOODLE/admin/oauth2callback.php', replacing LOCALHOST-MOODLE with localhost/master or whatever you use.
- Save
- Now, copy the clientid and client secret for use in a moment
- Now, go to the console dashboard (https://console.developers.google.com)
- Make sure 'Google Drive API' is enabled (you will see it listed at the bottom if it is). If it's not visible, you'll need to enable this API via the 'Enable APIs and Services' button at the top of the page. Make sure you can see 'Google Drive API' listed on the dashboard after you enable it. Don't continue until you have this part set up.
- On your Moodle site, log in as admin
- Go to Admin > Server > OAuth 2 services
- Click 'Create new Google service'
- Enter the clientid and client secret and save changes
- Now, go to admin > plugins > repositories > manage repositories
- Enable 'Google Drive' repository
- Click 'settings' for the Google Drive repository
- Name it 'Google Drive repo', set issuer to 'Google' and save.
- Now, go to private files, click the 'Add...' button and you should see 'Google Drive repo' listed on the left side of the file picker. If not, please check the above steps again.
OneDrive setup
- Go to the Azure portal at https://portal.azure.com and sign in with your microsoft account
- Click 'Azure active directory'
- From the left hand pane, under 'Manage', select 'App registrations'
- Click 'New registration'
- Set:
- 'Name' to 'Moodle' and
- 'Supported account types' to 'Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)'
- 'Redirection URI' to 'Web' and enter 'http://LOCALHOST-MOODLE/admin/oauth2callback.php', replacing LOCALHOST-MOODLE with localhost/master or whatever you use.
- Click 'Register'
- Now, you should be on an 'Overview' page
- Copy the 'Application (client) id' value to a text document for use in a moment
- In the left pane, click 'Certificates and secrets'
- Click 'New client secret', name it 'Moodle' and save
- Copy the value of the secret to a text document for use in a moment
- Now, log in to your Moodle site as admin
- Go to Admin > Server > OAuth 2 services
- Click 'Create new Microsoft service'
- Enter the clientid and client secret you copied earlier and save.
- Now, go to admin > plugins > repositories > manage repositories
- Enable 'Microsoft OneDrive' repository
- Click 'settings' for the OneDrive repository
- Name it 'OneDrive repo', set 'OAuth 2 service' to 'Microsoft' and save.
- Now, go to private files, click the 'Add...' button and you should see 'OneDrive repo' listed on the left side of the file picker.
If not, please check the above steps again.
Nextcloud setup
- With docker-ce installed locally, run the nextcloud container:
(source: https://hub.docker.com/_/nextcloud)docker run -d -p 8080:80 nextcloud
- Run ngrok for port 8080
ngrok http --region=au 8080
(set region as appropriate for you, provided you have an ngrok account)
- Go to the https ngrok URL, i.e. https://NGROK-URL, and you should see the nextcloud login screen
- Untick the 'install apps' box - this just adds time to the install which we don't need.
- Sign in using admin:test (creating the account during the process)
Note: If you're blocked by Firefox, you might need to ignore the warning and proceed anyway, repeating the process. - Now, from the top right menu, go to 'settings'
- Now, in the admin section (bottom left), click 'security'
- Under 'password policy' change min length to 4 and deselect the 'forbid common passwords' checkbox (it auto saves on change)
- Scroll down to 'OAuth 2.0 Clients' and under 'add client' enter:
Name: Moodle
Redirection URI: http://LOCALHOST-MOODLE/admin/oauth2callback.php, replacing LOCALHOST-MOODLE with localhost/master or whatever you use. - Click 'add'
- Copy the clientid and secret to a text doc for use in a moment
- Now, via the top right menu, click 'Users'
- Create the following users:
username:password:email
s1:test:s1@test.com
s2:test:s2@test.com - Log out of nextcloud
- Log in to your Moodle site and go to Site admin > Server > OAuth 2 Services
- Click 'add a new nextcloud service'
- Enter the client id and secret you copied from nextcloud earlier
- In 'Service base URL', enter your https ngrok URL
- Save changes
- Now, go to admin > plugins > repositories > manage repositories
- Enable Nextcloud repository
- Click 'settings' for the Nextcloud repository
- Click 'Create a new repository instance'
- Name it 'Nextcloud repo', set issuer to 'Nextcloud' and save.
- Now, go to private files, click the 'Add...' button and you should see 'Nextcloud repo' listed on the left side of the file picker.
If not, please check the above steps again.
Testing persistent access to the three repositories
- Make sure you're logged out of your locally running Nextcloud (login and then logout if you're not sure)
- In Moodle, first make sure you have two test users s1 and s2
- Log in to Moodle as s1
- Open private files
- Click 'Add...' button
- In the file picker window, click 'Nextcloud repo'
- Click 'Log in to your account' and continue through the Nextcloud log in process using the s1:test credentials you created earlier.
- Confirm log in is successful and you can see some Nextcloud files listed in the Moodle repository
- In the file picker window, click 'Google Drive repo'
- Click 'Log in to your account' and continue through the Google log in process using your Google account (If you see a warning about an unverified app, just expand the 'advanced' link and select 'Go to Moodle')
- Confirm log in is successful and you can see some Google Drive files listed in the Moodle repository
- In the file picker window, click 'Onedrive repo'
- Click 'Log in to your account' and continue through the OneDrive log in process using your Microsoft account
- Confirm log in is successful and you can see some OneDrive files/folders listed in the Moodle repository
- Log out of Moodle.
- Log out of the locally running Nextcloud.
- Repeat the repository log in process for all three repositories using user s2 (for Nextcloud, make sure you're logged out from your local Nextcloud site first, otherwise it'll try to link to whatever account is logged in already).
- Log out of Moodle.
- Log in to Moodle as s1
- Go to private files
- Click the 'Add...' button
- Click 'Nextcloud repo'
- Confirm the repository automatically logs in and displays files without any prompts
- Click 'Google Drive repo'
- Confirm the repository automatically logs in and displays files without any prompts
- Click 'OneDrive repo'
- Confirm the repository automatically logs in and displays files without any prompts
- Now, for each of the repositories we just inspected, select it and click the 'Logout' icon.
- For each, Confirm you now see the 'Log in to your account' button shown.
- Click back and forth between the three repositories and Confirm you still see the 'Log in to your account' button as you select each one.
- Log out of Moodle.
- Log out of the locally running Nextcloud
- Log in to Moodle as user s2.
- Go to private files
- Click the 'Add..' button
- Click 'Nextcloud repo'
- Confirm the repository automatically logs in and displays files without any prompts
- Click 'Google Drive repo'
- Confirm the repository automatically logs in and displays files without any prompts
- Click 'OneDrive repo'
- Confirm the repository automatically logs in and displays files without any prompts
- Log out of Moodle.
- Log in to Moodle as s1
- Go to private files
- Click the 'Add..' button
- Click 'Nextcloud repo'
- Confirm you see the 'Log in to your account' button
- Click 'Google Drive repo'
- Confirm you see the 'Log in to your account' button
- Click 'OneDrive repo'
- Confirm you see the 'Log in to your account' button
- Now, for each of the three repositories, log in to each again and Confirm you can see the files listed.
- Log out of Moodle.
Revoking app access and refresh tokens
- Sign in to Nextcloud as user s1
- In the top right, from the user menu, select 'settings'
- In the left pane, click 'Security'
- Under 'Devices and sessions' open the menu for Moodle (...) and click 'Revoke'
- Now, log in to Moodle as user s1
- Go to private files
- Click the 'Add...' button
- Click the 'Nextcloud repo' if not already selected
- Confirm you see the 'Log in to your account' button
- Log in to Nextcloud repo again and Confirm you can see the Nextcloud files listed.
- Log out of Moodle
- Now, go to your Microsoft account settings (https://account.microsoft.com)
- Click 'Privacy' from the header navigation
- Scroll down to the bottom in 'Other privacy settings' and click the 'Apps and services that can access your data' link
- Select 'Moodle' and click 'Remove these permissions'
- Now, log in to Moodle as user s1
- Go to private files
- Click the 'Add...' button
- Click the 'OneDrive repo' if not already selected
- Confirm you see the 'Log in to your account' button
- Log in to OneDrive repo again and Confirm you can see the OneDrive files listed.
- Log out of Moodle
- Now, go to your Google account (https://myaccount.google.com)
- In the left menu, select 'Security'
- Now, under 'Third party apps with account access', click 'Manage third party access'
- Click 'Moodle'
- Click 'Remove access' and confirm
- Now, log in to Moodle as user s1
- Go to private files
- Click the 'Add...' button
- Click the 'Google Drive repo' if not already selected
- Confirm you see the 'Log in to your account' button
- Log in to Google Drive repo again and Confirm you can see the Google Drive files listed.
- Log out of Moodle
Upgrade test
- Install a new Moodle site running the latest weekly code. You'll need to checkout these commit hashes for each respective branch, then run the installation.
- Create the instances
mdk create -t -v master -n imaster
mdk create -t -v 310 -n i310
- Checkout the weekly commit:
master:git checkout e049d30613
310:
git checkout 8b026809c
- Run through the installation for both sites
- Create the instances
- Now, checkout the integration changes
master:git checkout master
310:
git checkout MOODLE_310_STABLE
- Run the upgrade for both sites and Verify there are no problems during upgrade.
- Now, for each site, run through the Google OAuth 2.0 setup as above and Verify you are able to sign in to the repository
- Log out and log back in
- Go to the repository and open Google Drive repository again
- Verify you can see your files listed without being asked to sign in.
ShowTesting requirements This test requires: ngrok docker a Microsoft account a Google account Setup We're going to test the behaviour of three different repositories: Google Drive, Microsoft OneDrive and Nextcloud. This first part deals with setting these repositories up on a newly installed site. Google drive setup Create a new Moodle site. Go to the developer console at https://console.developers.google.com and sign in with your personal Google account. Accounts tied to an organisation may not be permitted to create new projects. In the left pane, click 'Credentials'. If you're prompted to create a new project (i.e. you haven't created one in the past), then do so now. Click 'Create credentials' at the top and select 'OAuth client id' Set the following: 'Application type' to 'Web application' 'Name' to 'Moodle' Under 'Authorized redirect URIs' click 'Add URI' Enter 'http://LOCALHOST-MOODLE/admin/oauth2callback.php', replacing LOCALHOST-MOODLE with localhost/master or whatever you use. Save Now, copy the clientid and client secret for use in a moment Now, go to the console dashboard ( https://console.developers.google.com ) Make sure 'Google Drive API' is enabled (you will see it listed at the bottom if it is). If it's not visible, you'll need to enable this API via the 'Enable APIs and Services' button at the top of the page. Make sure you can see 'Google Drive API' listed on the dashboard after you enable it. Don't continue until you have this part set up. On your Moodle site, log in as admin Go to Admin > Server > OAuth 2 services Click 'Create new Google service' Enter the clientid and client secret and save changes Now, go to admin > plugins > repositories > manage repositories Enable 'Google Drive' repository Click 'settings' for the Google Drive repository Name it 'Google Drive repo', set issuer to 'Google' and save. Now, go to private files, click the 'Add...' button and you should see 'Google Drive repo' listed on the left side of the file picker. If not, please check the above steps again. OneDrive setup Go to the Azure portal at https://portal.azure.com and sign in with your microsoft account Click 'Azure active directory' From the left hand pane, under 'Manage', select 'App registrations' Click 'New registration' Set: 'Name' to 'Moodle' and 'Supported account types' to 'Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)' 'Redirection URI' to 'Web' and enter 'http://LOCALHOST-MOODLE/admin/oauth2callback.php', replacing LOCALHOST-MOODLE with localhost/master or whatever you use. Click 'Register' Now, you should be on an 'Overview' page Copy the 'Application (client) id' value to a text document for use in a moment In the left pane, click 'Certificates and secrets' Click 'New client secret', name it 'Moodle' and save Copy the value of the secret to a text document for use in a moment Now, log in to your Moodle site as admin Go to Admin > Server > OAuth 2 services Click 'Create new Microsoft service' Enter the clientid and client secret you copied earlier and save. Now, go to admin > plugins > repositories > manage repositories Enable 'Microsoft OneDrive' repository Click 'settings' for the OneDrive repository Name it 'OneDrive repo', set 'OAuth 2 service' to 'Microsoft' and save. Now, go to private files, click the 'Add...' button and you should see 'OneDrive repo' listed on the left side of the file picker. If not, please check the above steps again. Nextcloud setup With docker-ce installed locally, run the nextcloud container: (source: https://hub.docker.com/_/nextcloud ) docker run -d -p 8080:80 nextcloud Run ngrok for port 8080 ngrok http --region=au 8080 (set region as appropriate for you, provided you have an ngrok account) Go to the https ngrok URL, i.e. https://NGROK-URL , and you should see the nextcloud login screen Untick the 'install apps' box - this just adds time to the install which we don't need. Sign in using admin:test (creating the account during the process) Note: If you're blocked by Firefox, you might need to ignore the warning and proceed anyway, repeating the process. Now, from the top right menu, go to 'settings' Now, in the admin section (bottom left), click 'security' Under 'password policy' change min length to 4 and deselect the 'forbid common passwords' checkbox (it auto saves on change) Scroll down to 'OAuth 2.0 Clients' and under 'add client' enter: Name: Moodle Redirection URI: http://LOCALHOST-MOODLE/admin/oauth2callback.php , replacing LOCALHOST-MOODLE with localhost/master or whatever you use. Click 'add' Copy the clientid and secret to a text doc for use in a moment Now, via the top right menu, click 'Users' Create the following users: username:password:email s1:test:s1@test.com s2:test:s2@test.com Log out of nextcloud Log in to your Moodle site and go to Site admin > Server > OAuth 2 Services Click 'add a new nextcloud service' Enter the client id and secret you copied from nextcloud earlier In 'Service base URL', enter your https ngrok URL Save changes Now, go to admin > plugins > repositories > manage repositories Enable Nextcloud repository Click 'settings' for the Nextcloud repository Click 'Create a new repository instance' Name it 'Nextcloud repo', set issuer to 'Nextcloud' and save. Now, go to private files, click the 'Add...' button and you should see 'Nextcloud repo' listed on the left side of the file picker. If not, please check the above steps again. Testing persistent access to the three repositories Make sure you're logged out of your locally running Nextcloud (login and then logout if you're not sure) In Moodle, first make sure you have two test users s1 and s2 Log in to Moodle as s1 Open private files Click 'Add...' button In the file picker window, click 'Nextcloud repo' Click 'Log in to your account' and continue through the Nextcloud log in process using the s1:test credentials you created earlier. Confirm log in is successful and you can see some Nextcloud files listed in the Moodle repository In the file picker window, click 'Google Drive repo' Click 'Log in to your account' and continue through the Google log in process using your Google account (If you see a warning about an unverified app, just expand the 'advanced' link and select 'Go to Moodle') Confirm log in is successful and you can see some Google Drive files listed in the Moodle repository In the file picker window, click 'Onedrive repo' Click 'Log in to your account' and continue through the OneDrive log in process using your Microsoft account Confirm log in is successful and you can see some OneDrive files/folders listed in the Moodle repository Log out of Moodle. Log out of the locally running Nextcloud. Repeat the repository log in process for all three repositories using user s2 (for Nextcloud, make sure you're logged out from your local Nextcloud site first, otherwise it'll try to link to whatever account is logged in already). Log out of Moodle. Log in to Moodle as s1 Go to private files Click the 'Add...' button Click 'Nextcloud repo' Confirm the repository automatically logs in and displays files without any prompts Click 'Google Drive repo' Confirm the repository automatically logs in and displays files without any prompts Click 'OneDrive repo' Confirm the repository automatically logs in and displays files without any prompts Now, for each of the repositories we just inspected, select it and click the 'Logout' icon. For each, Confirm you now see the 'Log in to your account' button shown. Click back and forth between the three repositories and Confirm you still see the 'Log in to your account' button as you select each one. Log out of Moodle. Log out of the locally running Nextcloud Log in to Moodle as user s2. Go to private files Click the 'Add..' button Click 'Nextcloud repo' Confirm the repository automatically logs in and displays files without any prompts Click 'Google Drive repo' Confirm the repository automatically logs in and displays files without any prompts Click 'OneDrive repo' Confirm the repository automatically logs in and displays files without any prompts Log out of Moodle. Log in to Moodle as s1 Go to private files Click the 'Add..' button Click 'Nextcloud repo' Confirm you see the 'Log in to your account' button Click 'Google Drive repo' Confirm you see the 'Log in to your account' button Click 'OneDrive repo' Confirm you see the 'Log in to your account' button Now, for each of the three repositories, log in to each again and Confirm you can see the files listed. Log out of Moodle. Revoking app access and refresh tokens Sign in to Nextcloud as user s1 In the top right, from the user menu, select 'settings' In the left pane, click 'Security' Under 'Devices and sessions' open the menu for Moodle (...) and click 'Revoke' Now, log in to Moodle as user s1 Go to private files Click the 'Add...' button Click the 'Nextcloud repo' if not already selected Confirm you see the 'Log in to your account' button Log in to Nextcloud repo again and Confirm you can see the Nextcloud files listed. Log out of Moodle Now, go to your Microsoft account settings ( https://account.microsoft.com ) Click 'Privacy' from the header navigation Scroll down to the bottom in 'Other privacy settings' and click the 'Apps and services that can access your data' link Select 'Moodle' and click 'Remove these permissions' Now, log in to Moodle as user s1 Go to private files Click the 'Add...' button Click the 'OneDrive repo' if not already selected Confirm you see the 'Log in to your account' button Log in to OneDrive repo again and Confirm you can see the OneDrive files listed. Log out of Moodle Now, go to your Google account ( https://myaccount.google.com ) In the left menu, select 'Security' Now, under 'Third party apps with account access', click 'Manage third party access' Click 'Moodle' Click 'Remove access' and confirm Now, log in to Moodle as user s1 Go to private files Click the 'Add...' button Click the 'Google Drive repo' if not already selected Confirm you see the 'Log in to your account' button Log in to Google Drive repo again and Confirm you can see the Google Drive files listed. Log out of Moodle Upgrade test Install a new Moodle site running the latest weekly code. You'll need to checkout these commit hashes for each respective branch, then run the installation. Create the instances mdk create -t -v master -n imaster mdk create -t -v 310 -n i310 Checkout the weekly commit: master: git checkout e049d30613 310: git checkout 8b026809c Run through the installation for both sites Now, checkout the integration changes master: git checkout master 310: git checkout MOODLE_310_STABLE Run the upgrade for both sites and Verify there are no problems during upgrade. Now, for each site, run through the Google OAuth 2.0 setup as above and Verify you are able to sign in to the repository Log out and log back in Go to the repository and open Google Drive repository again Verify you can see your files listed without being asked to sign in.
-
5
-
4.0 holding pattern 6
Description
Access tokens can be very short-lived: https://tools.ietf.org/html/rfc6749#section-4.2.2Â exemplarily specifies a lifetime of one hour, which is implemented accordingly in ownCloud and NextcloudÂ
This results in situations in which users have to re-authorise Moodle after one hour is elapsed. I assume that this will be very annoying.
However, ownCloud authorisations transmit a refresh token that is used to obtain a new access token without manual interaction. The refresh token mechanism is already supported for (and used by) connected system accounts, and should be extended to connected user accounts accordingly.
Alternative solution: Increase the expiry period of access tokens in affected services, i.e. try to convince own- / Nextcloud to change this. However, this does not solve the general case. Also I think that short-lived access tokens are sensible, e.g. to prevent replay attacks.
Attachments
- google.png
- 613 kB
- microsoft.png
- 570 kB
- nextcloud.png
- 665 kB
- upgrade 310.png
- 909 kB
- upgrade master.png
- 670 kB