-
Bug
-
Resolution: Fixed
-
Minor
-
3.3.1, 3.4
-
MOODLE_33_STABLE, MOODLE_34_STABLE
-
MOODLE_33_STABLE, MOODLE_34_STABLE
-
MDL-59512-master -
Currently, when a refresh token is upgraded to an access token, client ID and client secret are transmitted via the request payload: https://github.com/moodle/moodle/blob/350700bf8b509f5269b0fefd34fec0d3d5393c99/lib/classes/oauth2/client.php#L180. However, this is discouraged by the OAuth 2 standard (in context):
Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes).
Therefore, transmitting client ID and secret via Basic Auth (instead of the payload) should be supported, at least with a per-service choice. I would even suggest to fully move to the Basic Auth mechanism, because
The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
... however, I don't know how well Google and Microsoft adhere to the specs – this should be investigated first.
Either way: ownCloud currently only supports authentication via the Basic method; authentication via the payload fails as unauthorised.