Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65547

Enable logging into the mobile app via QR code in the web user profile

XMLWordPrintable

    • MOODLE_36_STABLE
    • MOODLE_39_STABLE
    • MDL-65547-master
    • Hide
      Prerequisite
      1. Moodle site configured to use https (e.g. using ngrok with $CFG->sslproxy set to true)
      2. Mobile device with a QR code reader app
      Automatic login via QR code as admin
      1. As an admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings
      2. Enable "QR code for automatic login" in the QR code access setting via Site admin > Mobile app -> Mobile authentication
      3. Go to your user profile via the top-right menu
      4. Check that in the Mobile app section you see a message indicating that "For security reasons login via QR code is not allowed to site administrators of if you are logged in as another user."
      5. Confirm that there is no button to view the QR code for automatic login.
      Automatic login via QR code as admin logging as another user
      1. Continuing as admin from the previous section, open the profile page of another user.
      2. Under "Administration", click "Log in as"
      3. Open the user menu and go to the user's profile.
      4. Confirm that you see the message "For security reasons login via QR code is not allowed to site administrators of if you are logged in as another user."
      5. Confirm that there is no button to view the QR code for automatic login.
      Automatic login via QR code as a non-admin user
      1. Now, login into the Moodle site with a non-admin user account
      2. Go to the user profile page.
      3. Confirm that you can see the "View QR code" button in the "Mobile app" section of your profile page.
      4. Click the "View QR code" button and scan the QR code with a phone
      5. Copy the scanned text result somewhere in your computer
      6. Open the console and execute this new curl request (let's call this "tool_mobile_get_tokens_for_qr_login"). Replacing SITE_URL and YOUR_QR_LOGIN_KEY with the value of the qrlogin parameter from the scanned text and USERID with the id of the user the code was generated for.

        curl 'SITE_URL/lib/ajax/service.php' -A "MoodleMobile" --data-binary '[{"index":0,"methodname":"tool_mobile_get_tokens_for_qr_login","args":{"qrloginkey": "YOUR_QR_LOGIN_KEY", "userid": "USERID"}}]' | python -m "json.tool"
        

      7. Confirm that:
        • In the response for the curl request you see three fields: token, privatetoken and warnings
        • Warning is empty
        • token and privatetoken are not empty
      8. Open the console and execute this new curl request (let's call this "core_webservice_get_site_info"), replacing the SITE_URL and TOKEN with value of the token field from the previous curl request

        curl 'SITE_URL/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=TOKEN' | python -m "json.tool"
        

      9. Confirm that you see information about the site (site name, version) among other fields in the response.
      Test time limit
      1. Wait 11 minutes
      2. Execute the "tool_mobile_get_tokens_for_qr_login" CURL request
      3. Confirm that you see an expired token error
      Test with Automatic QR code login set, but site is in HTTP.
      1. With "QR code access" still set to "QR code with automatic login".
      2. Set your site to run on HTTP instead of HTTPS.
      3. Log in as a non-admin user and go to your profile page.
      4. Confirm that you don't see the "View QR code" button.
      Test QR codes with just the URL
      1. Log in as an admin and enable "QR code with the site address" in the QR code access setting via Site admin > Mobile app -> Mobilie authentication
      2. Now go to your user profile and check that you see the QR code without having to click on a "View QR code button"
      3. Scan the QR code.
      4. Check that the text scanned is: "moodlemobile://YOUR_SITE_URL"
      Show
      Prerequisite Moodle site configured to use https (e.g. using ngrok with $CFG->sslproxy set to true) Mobile device with a QR code reader app Automatic login via QR code as admin As an admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings Enable "QR code for automatic login" in the QR code access setting via Site admin > Mobile app -> Mobile authentication Go to your user profile via the top-right menu Check that in the Mobile app section you see a message indicating that "For security reasons login via QR code is not allowed to site administrators of if you are logged in as another user." Confirm that there is no button to view the QR code for automatic login. Automatic login via QR code as admin logging as another user Continuing as admin from the previous section, open the profile page of another user. Under " Administration ", click " Log in as " Open the user menu and go to the user's profile. Confirm that you see the message " For security reasons login via QR code is not allowed to site administrators of if you are logged in as another user. " Confirm that there is no button to view the QR code for automatic login. Automatic login via QR code as a non-admin user Now, login into the Moodle site with a non-admin user account Go to the user profile page. Confirm that you can see the "View QR code" button in the " Mobile app " section of your profile page. Click the "View QR code" button and scan the QR code with a phone Copy the scanned text result somewhere in your computer Open the console and execute this new curl request (let's call this " tool_mobile_get_tokens_for_qr_login "). Replacing SITE_URL and YOUR_QR_LOGIN_KEY with the value of the qrlogin parameter from the scanned text and USERID with the id of the user the code was generated for. curl 'SITE_URL/lib/ajax/service.php' -A "MoodleMobile" --data-binary '[{"index":0,"methodname":"tool_mobile_get_tokens_for_qr_login","args":{"qrloginkey": "YOUR_QR_LOGIN_KEY", "userid": "USERID"}}]' | python -m "json.tool" Confirm that: In the response for the curl request you see three fields: token, privatetoken and warnings Warning is empty token and privatetoken are not empty Open the console and execute this new curl request (let's call this " core_webservice_get_site_info "), replacing the SITE_URL and TOKEN with value of the token field from the previous curl request curl 'SITE_URL/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=TOKEN' | python -m "json.tool" Confirm that you see information about the site (site name, version) among other fields in the response. Test time limit Wait 11 minutes Execute the " tool_mobile_get_tokens_for_qr_login " CURL request Confirm that you see an expired token error Test with Automatic QR code login set, but site is in HTTP. With " QR code access " still set to " QR code with automatic login ". Set your site to run on HTTP instead of HTTPS. Log in as a non-admin user and go to your profile page. Confirm that you don't see the " View QR code " button. Test QR codes with just the URL Log in as an admin and enable "QR code with the site address" in the QR code access setting via Site admin > Mobile app -> Mobilie authentication Now go to your user profile and check that you see the QR code without having to click on a "View QR code button" Scan the QR code. Check that the text scanned is: "moodlemobile://YOUR_SITE_URL"

      It would be cool to simplify the way the users can login into a Moodle site via the app using a similar approach to what WhatsApp do with WhatsApp web.

      Overall idea would be:

      • If mobile services are enabled and this feature is not disabled (we'll add an option), in the user profile we generate a QR code for a URL that will auto-login the user in the app (the URL will have the user token)
      • Using the Moodle App (or a standard QR reader if the app is installed) the user will be able to scan the QR code to log-in

      Security questions:

      • Should the QR code should be valid only for a certain time? (maybe the user left his session open in a shared computer)
      • Should we encode (encryption is not possible) the token/private token that will be part of the URL used to generate the QR code?

            jleyva Juan Leyva
            jleyva Juan Leyva
            Pau Ferrer Pau Ferrer
            Jun Pataleta Jun Pataleta
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 days, 4 hours, 31 minutes
                3d 4h 31m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.