Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59869

If authorisation for an OAuth 2 system account expires, notifications are not sent

XMLWordPrintable

    • MOODLE_33_STABLE, MOODLE_34_STABLE
    • MOODLE_33_STABLE
    • MDL-59869-master
    • Hide
      1. Go to the "OAuth 2 services" admin page.
      2. Add an issuer.
      3. Connect a system account.
      4. For the issuer, change the "token_endpoint" URL to something very meaningless or, better, unreachable.
      5. Go to the "Scheduled tasks" admin page.
      6. Schedule the task \core\oauth2\refresh_system_tokens_task for immediate execution.
      7. Verify that no exceptions are thrown, and that you receive a notification email. (Except, of course, the only exception is that your email address is invalid; then that is fine, too. It would work if the email were right! )
      Show
      Go to the "OAuth 2 services" admin page. Add an issuer. Connect a system account. For the issuer, change the "token_endpoint" URL to something very meaningless or, better, unreachable. Go to the "Scheduled tasks" admin page. Schedule the task \core\oauth2\refresh_system_tokens_task for immediate execution. Verify that no exceptions are thrown, and that you receive a notification email. (Except, of course, the only exception is that your email address is invalid; then that is fine, too. It would work if the email were right! )

      The OAuth 2 API provides a scheduled task that regularly uses the refresh token to get a current access token. As a side effect, it intends to notify administrators if that wasn't possible.

      Causes for that (that I could think of):
      1. The refresh token has expired or was revoked in the remote system.
      2. Client ID / Secret in the remote system were revoked or changed.
      3. The remote system is unreachable/gone.
      4. Someone changed the endpoint URL for the issuer (causing 2 or 3 effectively).

      See https://github.com/moodle/moodle/blob/27466d7548de99cbb050027acc3e809ce49ad2e9/lib/classes/oauth2/refresh_system_tokens_task.php#L87: Only in case 1 we can be certain that the notification function will be called. In the other cases, exceptions may bubble up from within get_system_oauth_client, causing notify_admins() to be skipped. Consequently, renewal has failed but administrators are not informed.

      Also, notify_admins needs fixing: https://github.com/moodle/moodle/blob/27466d7548de99cbb050027acc3e809ce49ad2e9/lib/classes/oauth2/refresh_system_tokens_task.php#L52 it uses  $CFG without declaring it, and core\user should be \core_user.

      I prepare a patch.

            jan.dagefoerde Jan Dageförde
            jan.dagefoerde Jan Dageförde
            Damyon Wiese Damyon Wiese
            Jun Pataleta Jun Pataleta
            Marina Glancy Marina Glancy
            Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.