Some user field mappings ignored when creating a new user via OAuth 2

My case

I have OAuth 2 custom service set up with the following user field mappings:

Creation of Moodle account on authentication via OAuth 2 is allowed.

The problem is that idnumber and institution fields are not filled for new users, but userinfo endpoint responds with correct values for these fields.

The bug

I've looked through Moodle code and found out that only few fields of those we can map are saved.

Let's start from \auth_oauth2\auth::complete_login function. It's called after the user is redirected to oauth2callback.php and authorization code is upgraded to access token.

First, it calls $client->get_userinfo which returns an array (key = internal field name, value = field value from userinfo endpoint response). Mapping is done correctly there. In my case I see idnumber and institution keys with expected values.

Later, depending on 'Require e-mail confirmation' option, one of two functions called:

• \auth_oauth2\api::create_new_confirmed_account;
• \auth_oauth2\api::send_confirm_account_email.

Both has the same code which creates the user.

$user = new stdClass();

$user->username = $userinfo['username'];

$user->email = $userinfo['email'];

$user->auth = 'oauth2';

$user->mnethostid = $CFG->mnet_localhost_id;

$user->lastname = isset($userinfo['lastname']) ? $userinfo['lastname'] : '';

$user->firstname = isset($userinfo['firstname']) ? $userinfo['firstname'] : '';

$user->url = isset($userinfo['url']) ? $userinfo['url'] : '';

$user->alternatename = isset($userinfo['alternatename']) ? $userinfo['alternatename'] : '';

$user->secret = random_string(15);

$user->password = '';

// This user is not confirmed.

$user->confirmed = 0;

$user->id = user_create_user($user, false, true);

After that linked account record is created and only user picture could be updated later.

This explains why some fields are not saved after OAuth login.