Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59510

Keep OAuth 2 connections alive across users' sessions

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Testing requirements

      This test requires:

      • ngrok
      • docker
      • a Microsoft account
      • a Google account

      Setup

      We're going to test the behaviour of three different repositories: Google Drive, Microsoft OneDrive and Nextcloud.

      This first part deals with setting these repositories up on a newly installed site.

      Google drive setup

      1. Create a new Moodle site.
      2. Go to the developer console at https://console.developers.google.com and sign in with your personal Google account. Accounts tied to an organisation may not be permitted to create new projects.
      3. In the left pane, click 'Credentials'. If you're prompted to create a new project (i.e. you haven't created one in the past), then do so now.
      4. Click 'Create credentials' at the top and select 'OAuth client id'
      5. Set the following:
        • 'Application type' to 'Web application'
        • 'Name' to 'Moodle'
      6. Under 'Authorized redirect URIs' click 'Add URI'
      7. Enter 'http://LOCALHOST-MOODLE/admin/oauth2callback.php', replacing LOCALHOST-MOODLE with localhost/master or whatever you use.
      8. Save
      9. Now, copy the clientid and client secret for use in a moment
      10. Now, go to the console dashboard (https://console.developers.google.com)
      11. Make sure 'Google Drive API' is enabled (you will see it listed at the bottom if it is). If it's not visible, you'll need to enable this API via the 'Enable APIs and Services' button at the top of the page. Make sure you can see 'Google Drive API' listed on the dashboard after you enable it. Don't continue until you have this part set up.
      12. On your Moodle site, log in as admin
      13. Go to Admin > Server > OAuth 2 services
      14. Click 'Create new Google service'
      15. Enter the clientid and client secret and save changes
      16. Now, go to admin > plugins > repositories > manage repositories
      17. Enable 'Google Drive' repository
      18. Click 'settings' for the Google Drive repository
      19. Name it 'Google Drive repo', set issuer to 'Google' and save.
      20. Now, go to private files, click the 'Add...' button and you should see 'Google Drive repo' listed on the left side of the file picker. If not, please check the above steps again.

      OneDrive setup

      1. Go to the Azure portal at https://portal.azure.com and sign in with your microsoft account
      2. Click 'Azure active directory'
      3. From the left hand pane, under 'Manage', select 'App registrations'
      4. Click 'New registration'
      5. Set:
        • 'Name' to 'Moodle' and
        • 'Supported account types' to 'Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)'
        • 'Redirection URI' to 'Web' and enter 'http://LOCALHOST-MOODLE/admin/oauth2callback.php', replacing LOCALHOST-MOODLE with localhost/master or whatever you use.
      6. Click 'Register'
      7. Now, you should be on an 'Overview' page
      8. Copy the 'Application (client) id' value to a text document for use in a moment
      9. In the left pane, click 'Certificates and secrets'
      10. Click 'New client secret', name it 'Moodle' and save
      11. Copy the value of the secret to a text document for use in a moment
      12. Now, log in to your Moodle site as admin
      13. Go to Admin > Server > OAuth 2 services
      14. Click 'Create new Microsoft service'
      15. Enter the clientid and client secret you copied earlier and save.
      16. Now, go to admin > plugins > repositories > manage repositories
      17. Enable 'Microsoft OneDrive' repository
      18. Click 'settings' for the OneDrive repository
      19. Name it 'OneDrive repo', set 'OAuth 2 service' to 'Microsoft' and save.
      20. Now, go to private files, click the 'Add...' button and you should see 'OneDrive repo' listed on the left side of the file picker.
        If not, please check the above steps again.

      Nextcloud setup

      1. With docker-ce installed locally, run the nextcloud container:
        (source: https://hub.docker.com/_/nextcloud)

        docker run -d -p 8080:80 nextcloud
        

      2. Run ngrok for port 8080

        ngrok http --region=au 8080
        

        (set region as appropriate for you, provided you have an ngrok account)

      1. Go to the https ngrok URL, i.e. https://NGROK-URL, and you should see the nextcloud login screen
      2. Untick the 'install apps' box - this just adds time to the install which we don't need.
      3. Sign in using admin:test (creating the account during the process)
        Note: If you're blocked by Firefox, you might need to ignore the warning and proceed anyway, repeating the process.
      4. Now, from the top right menu, go to 'settings'
      5. Now, in the admin section (bottom left), click 'security'
      6. Under 'password policy' change min length to 4 and deselect the 'forbid common passwords' checkbox (it auto saves on change)
      7. Scroll down to 'OAuth 2.0 Clients' and under 'add client' enter:
        Name: Moodle
        Redirection URI: http://LOCALHOST-MOODLE/admin/oauth2callback.php, replacing LOCALHOST-MOODLE with localhost/master or whatever you use.
      8. Click 'add'
      9. Copy the clientid and secret to a text doc for use in a moment
      10. Now, via the top right menu, click 'Users'
      11. Create the following users:
        username:password:email
        s1:test:s1@test.com
        s2:test:s2@test.com
      12. Log out of nextcloud
      13. Log in to your Moodle site and go to Site admin > Server > OAuth 2 Services
      14. Click 'add a new nextcloud service'
      15. Enter the client id and secret you copied from nextcloud earlier
      16. In 'Service base URL', enter your https ngrok URL
      17. Save changes
      18. Now, go to admin > plugins > repositories > manage repositories
      19. Enable Nextcloud repository
      20. Click 'settings' for the Nextcloud repository
      21. Click 'Create a new repository instance'
      22. Name it 'Nextcloud repo', set issuer to 'Nextcloud' and save.
      23. Now, go to private files, click the 'Add...' button and you should see 'Nextcloud repo' listed on the left side of the file picker.
        If not, please check the above steps again.

      Testing persistent access to the three repositories

      1. Make sure you're logged out of your locally running Nextcloud (login and then logout if you're not sure)
      2. In Moodle, first make sure you have two test users s1 and s2
      3. Log in to Moodle as s1
      4. Open private files
      5. Click 'Add...' button
      6. In the file picker window, click 'Nextcloud repo'
      7. Click 'Log in to your account' and continue through the Nextcloud log in process using the s1:test credentials you created earlier.
      8. Confirm log in is successful and you can see some Nextcloud files listed in the Moodle repository
      9. In the file picker window, click 'Google Drive repo'
      10. Click 'Log in to your account' and continue through the Google log in process using your Google account (If you see a warning about an unverified app, just expand the 'advanced' link and select 'Go to Moodle')
      11. Confirm log in is successful and you can see some Google Drive files listed in the Moodle repository
      12. In the file picker window, click 'Onedrive repo'
      13. Click 'Log in to your account' and continue through the OneDrive log in process using your Microsoft account
      14. Confirm log in is successful and you can see some OneDrive files/folders listed in the Moodle repository
      15. Log out of Moodle.
      16. Log out of the locally running Nextcloud.
      17. Repeat the repository log in process for all three repositories using user s2 (for Nextcloud, make sure you're logged out from your local Nextcloud site first, otherwise it'll try to link to whatever account is logged in already).
      18. Log out of Moodle.
      19. Log in to Moodle as s1
      20. Go to private files
      21. Click the 'Add...' button
      22. Click 'Nextcloud repo'
      23. Confirm the repository automatically logs in and displays files without any prompts
      24. Click 'Google Drive repo'
      25. Confirm the repository automatically logs in and displays files without any prompts
      26. Click 'OneDrive repo'
      27. Confirm the repository automatically logs in and displays files without any prompts
      28. Now, for each of the repositories we just inspected, select it and click the 'Logout' icon.
      29. For each, Confirm you now see the 'Log in to your account' button shown.
      30. Click back and forth between the three repositories and Confirm you still see the 'Log in to your account' button as you select each one.
      31. Log out of Moodle.
      32. Log out of the locally running Nextcloud
      33. Log in to Moodle as user s2.
      34. Go to private files
      35. Click the 'Add..' button
      36. Click 'Nextcloud repo'
      37. Confirm the repository automatically logs in and displays files without any prompts
      38. Click 'Google Drive repo'
      39. Confirm the repository automatically logs in and displays files without any prompts
      40. Click 'OneDrive repo'
      41. Confirm the repository automatically logs in and displays files without any prompts
      42. Log out of Moodle.
      43. Log in to Moodle as s1
      44. Go to private files
      45. Click the 'Add..' button
      46. Click 'Nextcloud repo'
      47. Confirm you see the 'Log in to your account' button
      48. Click 'Google Drive repo'
      49. Confirm you see the 'Log in to your account' button
      50. Click 'OneDrive repo'
      51. Confirm you see the 'Log in to your account' button
      52. Now, for each of the three repositories, log in to each again and Confirm you can see the files listed.
      53. Log out of Moodle.

      Revoking app access and refresh tokens

      1. Sign in to Nextcloud as user s1
      2. In the top right, from the user menu, select 'settings'
      3. In the left pane, click 'Security'
      4. Under 'Devices and sessions' open the menu for Moodle (...) and click 'Revoke'
      5. Now, log in to Moodle as user s1
      6. Go to private files
      7. Click the 'Add...' button
      8. Click the 'Nextcloud repo' if not already selected
      9. Confirm you see the 'Log in to your account' button
      10. Log in to Nextcloud repo again and Confirm you can see the Nextcloud files listed.
      11. Log out of Moodle
      12. Now, go to your Microsoft account settings (https://account.microsoft.com)
      13. Click 'Privacy' from the header navigation
      14. Scroll down to the bottom in 'Other privacy settings' and click the 'Apps and services that can access your data' link
      15. Select 'Moodle' and click 'Remove these permissions'
      16. Now, log in to Moodle as user s1
      17. Go to private files
      18. Click the 'Add...' button
      19. Click the 'OneDrive repo' if not already selected
      20. Confirm you see the 'Log in to your account' button
      21. Log in to OneDrive repo again and Confirm you can see the OneDrive files listed.
      22. Log out of Moodle
      23. Now, go to your Google account (https://myaccount.google.com)
      24. In the left menu, select 'Security'
      25. Now, under 'Third party apps with account access', click 'Manage third party access'
      26. Click 'Moodle'
      27. Click 'Remove access' and confirm
      28. Now, log in to Moodle as user s1
      29. Go to private files
      30. Click the 'Add...' button
      31. Click the 'Google Drive repo' if not already selected
      32. Confirm you see the 'Log in to your account' button
      33. Log in to Google Drive repo again and Confirm you can see the Google Drive files listed.
      34. Log out of Moodle

      Upgrade test

      1. Install a new Moodle site running the latest weekly code. You'll need to checkout these commit hashes for each respective branch, then run the installation.
        • Create the instances

          mdk create -t -v master -n imaster
          mdk create -t -v 310 -n i310
          

        • Checkout the weekly commit:
          master:

          git checkout e049d30613
          

          310:

          git checkout 8b026809c
          

        • Run through the installation for both sites
      2. Now, checkout the integration changes
        master:

        git checkout master
        

        310:

        git checkout MOODLE_310_STABLE
        

      3. Run the upgrade for both sites and Verify there are no problems during upgrade.
      4. Now, for each site, run through the Google OAuth 2.0 setup as above and Verify you are able to sign in to the repository
      5. Log out and log back in
      6. Go to the repository and open Google Drive repository again
      7. Verify you can see your files listed without being asked to sign in.
      Show
      Testing requirements This test requires: ngrok docker a Microsoft account a Google account Setup We're going to test the behaviour of three different repositories: Google Drive, Microsoft OneDrive and Nextcloud. This first part deals with setting these repositories up on a newly installed site. Google drive setup Create a new Moodle site. Go to the developer console at https://console.developers.google.com and sign in with your personal Google account. Accounts tied to an organisation may not be permitted to create new projects. In the left pane, click 'Credentials'. If you're prompted to create a new project (i.e. you haven't created one in the past), then do so now. Click 'Create credentials' at the top and select 'OAuth client id' Set the following: 'Application type' to 'Web application' 'Name' to 'Moodle' Under 'Authorized redirect URIs' click 'Add URI' Enter 'http://LOCALHOST-MOODLE/admin/oauth2callback.php', replacing LOCALHOST-MOODLE with localhost/master or whatever you use. Save Now, copy the clientid and client secret for use in a moment Now, go to the console dashboard ( https://console.developers.google.com ) Make sure 'Google Drive API' is enabled (you will see it listed at the bottom if it is). If it's not visible, you'll need to enable this API via the 'Enable APIs and Services' button at the top of the page. Make sure you can see 'Google Drive API' listed on the dashboard after you enable it. Don't continue until you have this part set up. On your Moodle site, log in as admin Go to Admin > Server > OAuth 2 services Click 'Create new Google service' Enter the clientid and client secret and save changes Now, go to admin > plugins > repositories > manage repositories Enable 'Google Drive' repository Click 'settings' for the Google Drive repository Name it 'Google Drive repo', set issuer to 'Google' and save. Now, go to private files, click the 'Add...' button and you should see 'Google Drive repo' listed on the left side of the file picker. If not, please check the above steps again. OneDrive setup Go to the Azure portal at https://portal.azure.com and sign in with your microsoft account Click 'Azure active directory' From the left hand pane, under 'Manage', select 'App registrations' Click 'New registration' Set: 'Name' to 'Moodle' and 'Supported account types' to 'Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)' 'Redirection URI' to 'Web' and enter 'http://LOCALHOST-MOODLE/admin/oauth2callback.php', replacing LOCALHOST-MOODLE with localhost/master or whatever you use. Click 'Register' Now, you should be on an 'Overview' page Copy the 'Application (client) id' value to a text document for use in a moment In the left pane, click 'Certificates and secrets' Click 'New client secret', name it 'Moodle' and save Copy the value of the secret to a text document for use in a moment Now, log in to your Moodle site as admin Go to Admin > Server > OAuth 2 services Click 'Create new Microsoft service' Enter the clientid and client secret you copied earlier and save. Now, go to admin > plugins > repositories > manage repositories Enable 'Microsoft OneDrive' repository Click 'settings' for the OneDrive repository Name it 'OneDrive repo', set 'OAuth 2 service' to 'Microsoft' and save. Now, go to private files, click the 'Add...' button and you should see 'OneDrive repo' listed on the left side of the file picker. If not, please check the above steps again. Nextcloud setup With docker-ce installed locally, run the nextcloud container: (source: https://hub.docker.com/_/nextcloud ) docker run -d -p 8080:80 nextcloud Run ngrok for port 8080 ngrok http --region=au 8080 (set region as appropriate for you, provided you have an ngrok account) Go to the https ngrok URL, i.e. https://NGROK-URL , and you should see the nextcloud login screen Untick the 'install apps' box - this just adds time to the install which we don't need. Sign in using admin:test (creating the account during the process) Note: If you're blocked by Firefox, you might need to ignore the warning and proceed anyway, repeating the process. Now, from the top right menu, go to 'settings' Now, in the admin section (bottom left), click 'security' Under 'password policy' change min length to 4 and deselect the 'forbid common passwords' checkbox (it auto saves on change) Scroll down to 'OAuth 2.0 Clients' and under 'add client' enter: Name: Moodle Redirection URI: http://LOCALHOST-MOODLE/admin/oauth2callback.php , replacing LOCALHOST-MOODLE with localhost/master or whatever you use. Click 'add' Copy the clientid and secret to a text doc for use in a moment Now, via the top right menu, click 'Users' Create the following users: username:password:email s1:test:s1@test.com s2:test:s2@test.com Log out of nextcloud Log in to your Moodle site and go to Site admin > Server > OAuth 2 Services Click 'add a new nextcloud service' Enter the client id and secret you copied from nextcloud earlier In 'Service base URL', enter your https ngrok URL Save changes Now, go to admin > plugins > repositories > manage repositories Enable Nextcloud repository Click 'settings' for the Nextcloud repository Click 'Create a new repository instance' Name it 'Nextcloud repo', set issuer to 'Nextcloud' and save. Now, go to private files, click the 'Add...' button and you should see 'Nextcloud repo' listed on the left side of the file picker. If not, please check the above steps again. Testing persistent access to the three repositories Make sure you're logged out of your locally running Nextcloud (login and then logout if you're not sure) In Moodle, first make sure you have two test users s1 and s2 Log in to Moodle as s1 Open private files Click 'Add...' button In the file picker window, click 'Nextcloud repo' Click 'Log in to your account' and continue through the Nextcloud log in process using the s1:test credentials you created earlier. Confirm log in is successful and you can see some Nextcloud files listed in the Moodle repository In the file picker window, click 'Google Drive repo' Click 'Log in to your account' and continue through the Google log in process using your Google account (If you see a warning about an unverified app, just expand the 'advanced' link and select 'Go to Moodle') Confirm log in is successful and you can see some Google Drive files listed in the Moodle repository In the file picker window, click 'Onedrive repo' Click 'Log in to your account' and continue through the OneDrive log in process using your Microsoft account Confirm log in is successful and you can see some OneDrive files/folders listed in the Moodle repository Log out of Moodle. Log out of the locally running Nextcloud. Repeat the repository log in process for all three repositories using user s2 (for Nextcloud, make sure you're logged out from your local Nextcloud site first, otherwise it'll try to link to whatever account is logged in already). Log out of Moodle. Log in to Moodle as s1 Go to private files Click the 'Add...' button Click 'Nextcloud repo' Confirm the repository automatically logs in and displays files without any prompts Click 'Google Drive repo' Confirm the repository automatically logs in and displays files without any prompts Click 'OneDrive repo' Confirm the repository automatically logs in and displays files without any prompts Now, for each of the repositories we just inspected, select it and click the 'Logout' icon. For each, Confirm you now see the 'Log in to your account' button shown. Click back and forth between the three repositories and Confirm you still see the 'Log in to your account' button as you select each one. Log out of Moodle. Log out of the locally running Nextcloud Log in to Moodle as user s2. Go to private files Click the 'Add..' button Click 'Nextcloud repo' Confirm the repository automatically logs in and displays files without any prompts Click 'Google Drive repo' Confirm the repository automatically logs in and displays files without any prompts Click 'OneDrive repo' Confirm the repository automatically logs in and displays files without any prompts Log out of Moodle. Log in to Moodle as s1 Go to private files Click the 'Add..' button Click 'Nextcloud repo' Confirm you see the 'Log in to your account' button Click 'Google Drive repo' Confirm you see the 'Log in to your account' button Click 'OneDrive repo' Confirm you see the 'Log in to your account' button Now, for each of the three repositories, log in to each again and Confirm you can see the files listed. Log out of Moodle. Revoking app access and refresh tokens Sign in to Nextcloud as user s1 In the top right, from the user menu, select 'settings' In the left pane, click 'Security' Under 'Devices and sessions' open the menu for Moodle (...) and click 'Revoke' Now, log in to Moodle as user s1 Go to private files Click the 'Add...' button Click the 'Nextcloud repo' if not already selected Confirm you see the 'Log in to your account' button Log in to Nextcloud repo again and Confirm you can see the Nextcloud files listed. Log out of Moodle Now, go to your Microsoft account settings ( https://account.microsoft.com ) Click 'Privacy' from the header navigation Scroll down to the bottom in 'Other privacy settings' and click the 'Apps and services that can access your data' link Select 'Moodle' and click 'Remove these permissions' Now, log in to Moodle as user s1 Go to private files Click the 'Add...' button Click the 'OneDrive repo' if not already selected Confirm you see the 'Log in to your account' button Log in to OneDrive repo again and Confirm you can see the OneDrive files listed. Log out of Moodle Now, go to your Google account ( https://myaccount.google.com ) In the left menu, select 'Security' Now, under 'Third party apps with account access', click 'Manage third party access' Click 'Moodle' Click 'Remove access' and confirm Now, log in to Moodle as user s1 Go to private files Click the 'Add...' button Click the 'Google Drive repo' if not already selected Confirm you see the 'Log in to your account' button Log in to Google Drive repo again and Confirm you can see the Google Drive files listed. Log out of Moodle Upgrade test Install a new Moodle site running the latest weekly code. You'll need to checkout these commit hashes for each respective branch, then run the installation. Create the instances mdk create -t -v master -n imaster mdk create -t -v 310 -n i310 Checkout the weekly commit: master: git checkout e049d30613 310: git checkout 8b026809c Run through the installation for both sites Now, checkout the integration changes master: git checkout master 310: git checkout MOODLE_310_STABLE Run the upgrade for both sites and Verify there are no problems during upgrade. Now, for each site, run through the Google OAuth 2.0 setup as above and Verify you are able to sign in to the repository Log out and log back in Go to the repository and open Google Drive repository again Verify you can see your files listed without being asked to sign in.
    • Affected Branches:
      MOODLE_33_STABLE, MOODLE_38_STABLE
    • Fixed Branches:
      MOODLE_310_STABLE
    • Pull from Repository:
    • Pull 3.10 Branch:
      MDL-59510-310
    • Pull Master Branch:
      MDL-59510-master
    • Story Points:
      5
    • Sprint:
      4.0 holding pattern 6

      Description

      Access tokens can be very short-lived: https://tools.ietf.org/html/rfc6749#section-4.2.2 exemplarily specifies a lifetime of one hour, which is implemented accordingly in ownCloud and Nextcloud 

      This results in situations in which users have to re-authorise Moodle after one hour is elapsed. I assume that this will be very annoying.

      However, ownCloud authorisations transmit a refresh token that is used to obtain a new access token without manual interaction. The refresh token mechanism is already supported for (and used by) connected system accounts, and should be extended to connected user accounts accordingly.

      Alternative solution: Increase the expiry period of access tokens in affected services, i.e. try to convince own- / Nextcloud to change this. However, this does not solve the general case. Also I think that short-lived access tokens are sensible, e.g. to prevent replay attacks.

        Attachments

        1. google.png
          613 kB
          Bas Brands
        2. microsoft.png
          570 kB
          Bas Brands
        3. nextcloud.png
          665 kB
          Bas Brands
        4. upgrade 310.png
          909 kB
          Bas Brands
        5. upgrade master.png
          670 kB
          Bas Brands

          Issue Links

            Activity

              People

              Assignee:
              jaked Jake Dallimore
              Reporter:
              jan.dagefoerde Jan Dageförde
              Peer reviewer:
              Mathew May Mathew May
              Integrator:
              Adrian Greeve Adrian Greeve
              Tester:
              Bas Brands Bas Brands
              Participants:
              Component watchers:
              Andrew Lyons, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
              Votes:
              10 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                9/Nov/20

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 week, 2 days, 2 hours, 20 minutes
                  1w 2d 2h 20m