Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59889

Can't refresh authorisations of OAuth 2 system accounts at services that do not provide email in userinfo

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      (Anti-)Regression test

      1. Add a Google OAuth issuer
      2. Connect a system account for the new service.
      3. Refresh the access token for that service by running the \core\oauth2\refresh_system_tokens_task from $wwwroot/admin/tool/task/scheduledtasks.php. This should still succeed.

       

      Show
      (Anti-)Regression test Add a Google OAuth issuer Connect a system account for the new service. Refresh the access token for that service by running the \core\oauth2\refresh_system_tokens_task from $wwwroot/admin/tool/task/scheduledtasks.php . This should still succeed.  
    • Affected Branches:
      MOODLE_33_STABLE, MOODLE_34_STABLE
    • Fixed Branches:
      MOODLE_33_STABLE
    • Pull Master Branch:
      MDL-59889-master

      Description

      Not really a regression of ---MDL-59511---, but I discovered something that just couldn't happen before:

      When authorisation of a system account is renewed by means of a refresh token, it compares the former external user's email address to that of the "new" (i.e. re-authenticated) external user, cf. https://github.com/moodle/moodle/blob/27466d7548de99cbb050027acc3e809ce49ad2e9/lib/classes/oauth2/client.php#L220.

      Some services do not provide an email address, such as ownCloud and Nextcloud. If that happens, a Notice: Undefined index: email is raised.

      Existing pre-defined services all provide an email, so this won't happen to them. Therefore it is not an actual regression. This just concerns third-party plugins using other services, such as ownCloud/Nextcloud integrations, as such services may not provide an email address.

       

      Steps to reproduce

      1. Add an OAuth issuer who does not (reliably) provide email addresses for users, e.g. Nextcloud (provision a test instance from https://demo.nextcloud.com) based on step 1 at https://github.com/learnweb/moodle-repository_owncloud/tree/e4b1e4dcd050331b2bf109223f72a0940071d676#installation and the endpoints/field mappings from https://github.com/nextcloud/server/issues/5694#issuecomment-314790014.
      2. If you used Nextcloud/ownCloud in Step 1, please apply the (preliminary) patch from MDL-59512 [^0001-bad-patch-use-basic-auth-together-with-payload-based.patch] as those need basic auth.
      3. Connect a system account for the new service. Make sure that the remote account does not provide an email address (this is the default in ownCloud/Nextcloud).
      4. Refresh the access token for that service by running the \core\oauth2\refresh_system_tokens_task from $wwwroot/admin/tool/task/scheduledtasks.php.

      Step 4 fails with the moodle_exception "Attempt to store refresh token for non-system user.".

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                3 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  13/Nov/17