Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59511

Can't connect a system account to OAuth 2 services that do not provide email in userinfo

XMLWordPrintable

    • MOODLE_33_STABLE, MOODLE_34_STABLE
    • MOODLE_33_STABLE
    • MDL-59511-master-oauthsysmail
    • Hide

      To obtain a userinfo "endpoint" that does not provide an email address, you can use fake_userinfo.json.

      Existing site

      1. Perform an upgrade.
      2. Confirm email field of the table {prefix}oauth2_system_account does not have NOT_NULL restriction .
      3. Add an issuer whose userinfo endpoint will not provide an email address (e.g. with a fake userinfo endpoint, see above).
      4. Verify that you can connect a system account and that its username is shown in the issuers table.
      5. Add an issuer that does provide an email address in userinfo.
      6. Verify that you can connect a system account to that issuer and that both username and email address show up in the issuers table.

      Fresh site

      1. Install a new Moodle.
      2. Make sure the email field in {prefix}oauth2_system_account does not have a NOT NULL restriction.
      Show
      To obtain a userinfo "endpoint" that does not provide an email address, you can use  fake_userinfo.json . Existing site Perform an upgrade. Confirm email field of the table {prefix}oauth2_system_account does not have NOT_NULL restriction . Add an issuer whose userinfo endpoint will not provide an email address (e.g. with a fake userinfo endpoint, see above). Verify that you can connect a system account and that its username is shown in the issuers table. Add an issuer that does provide an email address in userinfo. Verify that you can connect a system account to that issuer and that both username and email address show up in the issuers table. Fresh site Install a new Moodle. Make sure the email field in {prefix}oauth2_system_account does not have a NOT NULL restriction.

      Currently, both fields "username" and "email" are marked NOT NULL in lib/db/install.xml (https://github.com/moodle/moodle/blob/350700bf8b509f5269b0fefd34fec0d3d5393c99/lib/db/install.xml#L3519). However, there are OAuth 2 providers that do not require an email adress for their user accounts, which therefore cannot provide a reliable value in the corresponding field of a userinfo_endpoint. Both ownCloud and Nextcloud allow users to provide an email address, but this is not enforced e.g. when accounts are created by an admin manually (Try for yourself: Instant trial on https://demo.nextcloud.com/#short-term; Log in as admin//admin, click the Settings cog > Users and add a new user).

      (Partly related: Both services do not (yet) provide a userinfo endpoint, so I currently have to mock it – but as soon as they do, the email might not always be part of it  )

      I suggest that the email field can be NULL-able. I don't know of any services that do not provide a username, so that one can remain NOT NULL imo.

            jan.dagefoerde Jan Dageförde
            jan.dagefoerde Jan Dageförde
            Simey Lameze Simey Lameze
            David Monllaó David Monllaó
            Jake Dallimore Jake Dallimore
            Votes:
            8 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.