Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61383

Comply to standards to allow interoperability, e.g. for Apps

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.5
    • Fix Version/s: None
    • Component/s: Authentication
    • Affected Branches:
      MOODLE_35_STABLE

      Description

      Overview
       
          Project size: medium
          Audience: all
          Target users: all
       
      Moodle incompletely incorportates OAuth2 Standards. For example, it does not allow for more than one key. Then, keys are not stored in an correctly encrypted way.
      In that way, as of today it is not possible to develop or integrate apps which use actual standards being able to connect to Moodle. Only "Moodle Mobile" and "Moodle Desktop" apps can connect. This is a lack of functionality and standard compliance.
      Another example, which isn't the topic of this issue, is QTI standards, xAPI could do better, too.
       
      Goals
       
      To enable third applications to use OAuth2 authentication standards and thus allow things like single sign-on from an app to another.
       
      User Stories 
       
      As a student, I should be able to open an flash card app on my phone. This app then authenticates with my associated Moodle and fetches the cards my teachers prepared for me.
       
      Tracker issues
      https://tracker.moodle.org/browse/MDL-59419 Have Moodle support OAuth2 Key Encryption standards
       
      Requirements
       
      Implement and comply to those OAuth2 standards:
       

      • RFC-2617: The Basic HTTP Authorization Scheme
      • RFC-6749: The OAuth 2.0 Authorization Framework
      • RFC-7009: OAuth2 Token Revocation
      • RFC-7516: JSON Web Encryption (JWE)
      • RFC-7517: JSON Web Key (JWK)
      • RFC-7518: JSON Web Algorithms (JWA)
      • RFC-7519: JSON Web Tokens (JWT)
      • RFC-7521: Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
      • RFC-7523: JSON Web-Tokens (JWT) for OAuth 2.0 Client Authentication and Authorization Grants
      • RFC-7797: JSON Web Signature
      • RFC-7800: Proof-of-Possession Key for JWT

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lucaboesch Luca Bösch
              Participants:
              Component watchers:
              Jake Dallimore, Jun Pataleta, Ryan Wyllie
            • Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated: