Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59869

If authorisation for an OAuth 2 system account expires, notifications are not sent

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Go to the "OAuth 2 services" admin page.
      2. Add an issuer.
      3. Connect a system account.
      4. For the issuer, change the "token_endpoint" URL to something very meaningless or, better, unreachable.
      5. Go to the "Scheduled tasks" admin page.
      6. Schedule the task \core\oauth2\refresh_system_tokens_task for immediate execution.
      7. Verify that no exceptions are thrown, and that you receive a notification email. (Except, of course, the only exception is that your email address is invalid; then that is fine, too. It would work if the email were right! )
      Show
      Go to the "OAuth 2 services" admin page. Add an issuer. Connect a system account. For the issuer, change the "token_endpoint" URL to something very meaningless or, better, unreachable. Go to the "Scheduled tasks" admin page. Schedule the task \core\oauth2\refresh_system_tokens_task for immediate execution. Verify that no exceptions are thrown, and that you receive a notification email. (Except, of course, the only exception is that your email address is invalid; then that is fine, too. It would work if the email were right! )
    • Affected Branches:
      MOODLE_33_STABLE, MOODLE_34_STABLE
    • Fixed Branches:
      MOODLE_33_STABLE
    • Pull Master Branch:
      MDL-59869-master

      Description

      The OAuth 2 API provides a scheduled task that regularly uses the refresh token to get a current access token. As a side effect, it intends to notify administrators if that wasn't possible.

      Causes for that (that I could think of):
      1. The refresh token has expired or was revoked in the remote system.
      2. Client ID / Secret in the remote system were revoked or changed.
      3. The remote system is unreachable/gone.
      4. Someone changed the endpoint URL for the issuer (causing 2 or 3 effectively).

      See https://github.com/moodle/moodle/blob/27466d7548de99cbb050027acc3e809ce49ad2e9/lib/classes/oauth2/refresh_system_tokens_task.php#L87: Only in case 1 we can be certain that the notification function will be called. In the other cases, exceptions may bubble up from within get_system_oauth_client, causing notify_admins() to be skipped. Consequently, renewal has failed but administrators are not informed.

      Also, notify_admins needs fixing: https://github.com/moodle/moodle/blob/27466d7548de99cbb050027acc3e809ce49ad2e9/lib/classes/oauth2/refresh_system_tokens_task.php#L52 it uses  $CFG without declaring it, and core\user should be \core_user.

      I prepare a patch.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jan.dagefoerde Jan Dageförde
                Reporter:
                jan.dagefoerde Jan Dageförde
                Peer reviewer:
                Damyon Wiese
                Integrator:
                Jun Pataleta
                Tester:
                Marina Glancy
                Participants:
                Component watchers:
                Jake Dallimore, Jun Pataleta, Ryan Wyllie, Amaia Anabitarte, Carlos Escobedo, Sara Arjona (@sarjona), Víctor Déniz Falcón, Amaia Anabitarte, Carlos Escobedo, Sara Arjona (@sarjona), Víctor Déniz Falcón
              • Votes:
                2 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  11/Sep/17