Details
-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
3.5
-
MOODLE_35_STABLE
Description
Overview
Project size: medium
Audience: all
Target users: all
Moodle incompletely incorportates OAuth2 Standards. For example, it does not allow for more than one key. Then, keys are not stored in an correctly encrypted way.
In that way, as of today it is not possible to develop or integrate apps which use actual standards being able to connect to Moodle. Only "Moodle Mobile" and "Moodle Desktop" apps can connect. This is a lack of functionality and standard compliance.
Another example, which isn't the topic of this issue, is QTI standards, xAPI could do better, too.
Goals
To enable third applications to use OAuth2 authentication standards and thus allow things like single sign-on from an app to another.
User Stories
As a student, I should be able to open an flash card app on my phone. This app then authenticates with my associated Moodle and fetches the cards my teachers prepared for me.
Tracker issues
https://tracker.moodle.org/browse/MDL-59419 Have Moodle support OAuth2 Key Encryption standards
Requirements
Implement and comply to those OAuth2 standards:
- RFC-2617: The Basic HTTP Authorization Scheme
- RFC-6749: The OAuth 2.0 Authorization Framework
- RFC-7009: OAuth2 Token Revocation
- RFC-7516: JSON Web Encryption (JWE)
- RFC-7517: JSON Web Key (JWK)
- RFC-7518: JSON Web Algorithms (JWA)
- RFC-7519: JSON Web Tokens (JWT)
- RFC-7521: Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
- RFC-7523: JSON Web-Tokens (JWT) for OAuth 2.0 Client Authentication and Authorization Grants
- RFC-7797: JSON Web Signature
- RFC-7800: Proof-of-Possession Key for JWT