Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.3.1, 3.4
-
Fix Version/s: 3.3.3
-
Component/s: Administration, Libraries, Repositories
-
Labels:
-
Testing Instructions:
-
Affected Branches:MOODLE_33_STABLE, MOODLE_34_STABLE
-
Fixed Branches:MOODLE_33_STABLE
-
Pull from Repository:
-
Pull Master Branch:
MDL-59889-master -
Pull Master Diff URL:
Description
Not really a regression of ------, but I discovered something that just couldn't happen before:MDL-59511
When authorisation of a system account is renewed by means of a refresh token, it compares the former external user's email address to that of the "new" (i.e. re-authenticated) external user, cf. https://github.com/moodle/moodle/blob/27466d7548de99cbb050027acc3e809ce49ad2e9/lib/classes/oauth2/client.php#L220.
Some services do not provide an email address, such as ownCloud and Nextcloud. If that happens, a Notice: Undefined index: email is raised.
Existing pre-defined services all provide an email, so this won't happen to them. Therefore it is not an actual regression. This just concerns third-party plugins using other services, such as ownCloud/Nextcloud integrations, as such services may not provide an email address.
Steps to reproduce
- Add an OAuth issuer who does not (reliably) provide email addresses for users, e.g. Nextcloud (provision a test instance from https://demo.nextcloud.com) based on step 1 at https://github.com/learnweb/moodle-repository_owncloud/tree/e4b1e4dcd050331b2bf109223f72a0940071d676#installation and the endpoints/field mappings from https://github.com/nextcloud/server/issues/5694#issuecomment-314790014.
- If you used Nextcloud/ownCloud in Step 1, please apply the (preliminary) patch from
MDL-59512[^0001-bad-patch-use-basic-auth-together-with-payload-based.patch] as those need basic auth. - Connect a system account for the new service. Make sure that the remote account does not provide an email address (this is the default in ownCloud/Nextcloud).
- Refresh the access token for that service by running the \core\oauth2\refresh_system_tokens_task from $wwwroot/admin/tool/task/scheduledtasks.php.
Step 4 fails with the moodle_exception "Attempt to store refresh token for non-system user.".
Attachments
Issue Links
- has a non-specific relationship to
-
MDL-59511 Can't connect a system account to OAuth 2 services that do not provide email in userinfo
-
- Closed
-