Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64555

Some user field mappings ignored when creating a new user via OAuth 2


    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Minor Minor
    • None
    • 3.6.1
    • Authentication

      My case

      I have OAuth 2 custom service set up with the following user field mappings:


      External field name Internal field name
      given_name firstname
      middle_name middlename
      family_name lastname
      email email
      userid idnumber
      schoolname institution



      Creation of Moodle account on authentication via OAuth 2 is allowed.

      The problem is that idnumber and institution fields are not filled for new users, but userinfo endpoint responds with correct values for these fields.


      The bug

      I've looked through Moodle code and found out that only few fields of those we can map are saved.


      Let's start from \auth_oauth2\auth::complete_login function. It's called after the user is redirected to oauth2callback.php and authorization code is upgraded to access token.

      First, it calls $client->get_userinfo which returns an array (key = internal field name, value = field value from userinfo endpoint response). Mapping is done correctly there. In my case I see idnumber and institution keys with expected values.


      Later, depending on 'Require e-mail confirmation' option, one of two functions called:

      • \auth_oauth2\api::create_new_confirmed_account;
      • \auth_oauth2\api::send_confirm_account_email.


      Both has the same code which creates the user.

      $user = new stdClass();
      $user->username = $userinfo['username'];
      $user->email = $userinfo['email'];
      $user->auth = 'oauth2';
      $user->mnethostid = $CFG->mnet_localhost_id;
      $user->lastname = isset($userinfo['lastname']) ? $userinfo['lastname'] : '';
      $user->firstname = isset($userinfo['firstname']) ? $userinfo['firstname'] : '';
      $user->url = isset($userinfo['url']) ? $userinfo['url'] : '';
      $user->alternatename = isset($userinfo['alternatename']) ? $userinfo['alternatename'] : '';
      $user->secret = random_string(15);
      $user->password = '';
      // This user is not confirmed.
      $user->confirmed = 0;
      $user->id = user_create_user($user, false, true);

      After that linked account record is created and only user picture could be updated later.


      This explains why some fields are not saved after OAuth login.

            Unassigned Unassigned
            nixo Nikita Kalinin
            0 Vote for this issue
            3 Start watching this issue


                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.