Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-70430

OAuth2 system account's refresh token does not get updated due to a typo

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Note

      The fix is so obvious that I don't actually think it is worth testing. In case you insist, here it goes.

      Testing requirements

      • Moodle site running on HTTPS
      • Account at some of the supported OAuth2 providers (Google, Facebook, Microsoft)
      • Direct SQL database access and ability to run queries there

      Steps to reproduce and/or test the fix

      1. Log in as admin
      2. Go to > Site administration > Server > OAuth 2 services
      3. Create a new OAuth2 service of your choice (e.g. Google) using the documented instructions
      4. Connect a system (service) account.
      5. Check and note the value of the refreshtoken field in the oauth2_system_account
      6. Delete the access token from the oauth2_access_token table
      7. Execute the scheduled task core\oauth2\refresh_system_tokens_task
      8. TEST - Check the value of the refreshtoken field in the oauth2_system_account and make sure it has been updated
      Show
      Note The fix is so obvious that I don't actually think it is worth testing. In case you insist, here it goes. Testing requirements Moodle site running on HTTPS Account at some of the supported OAuth2 providers (Google, Facebook, Microsoft) Direct SQL database access and ability to run queries there Steps to reproduce and/or test the fix Log in as admin Go to > Site administration > Server > OAuth 2 services Create a new OAuth2 service of your choice (e.g. Google) using the documented instructions Connect a system (service) account. Check and note the value of the refreshtoken field in the oauth2_system_account Delete the access token from the oauth2_access_token table Execute the scheduled task core\oauth2\refresh_system_tokens_task TEST - Check the value of the refreshtoken field in the oauth2_system_account and make sure it has been updated
    • Affected Branches:
      MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_400_STABLE
    • Fixed Branches:
      MOODLE_310_STABLE
    • Pull from Repository:
    • Pull 3.10 Branch:
      MDL-70430-310-oauth2refreshtoken
    • Pull 3.11 Branch:
      MDL-70430-311-oauth2refreshtoken
    • Pull Master Branch:
      MDL-70430-master-oauth2refreshtoken

      Description

      When a system account is successfully connected via core\oauth2\api::connect_system_account(), it receives a refresh token that is stored in the oauth2_system_account table.

      This refresh token is supposed to be used to get a fresh access token. The OAuth2 client is supposed to POST to the token endpoint and provide the stored value of the refresh token. As a response, it receives a new access token and a new refresh token. The client is expected to store this new refresh token and use it next time to get a new access token.

      While working on MDLSITE-6037 I discovered that this exchange mechanism does not work in Moodle 3.10. That issue is about integrating Xero.com with Moodle. Xero uses common short-lived access tokens that expiry after 30 minutes, and long-lived refresh tokens that expiry after 60 days - or once they are used which comes first.

      But I started to get "Could not upgrade oauth token" due to "invalid grant" response from Xero and the system account stopped working unless it was re-authorised manually by the user via the common OAuth2 authorisation flow.

      It took me a while to debug this and the reason is actually simple. There is a typo in the code - missing underscore.

      The method client::exchange_refresh_token() returns an array with both tokens - access_token and refresh_token.

      But the caller client::upgrade_refresh_token() then checked if there is refreshtoken returned, not refresh_token. As a result, the new refresh token is never updated.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mudrd8mz David Mudrák (@mudrd8mz)
              Reporter:
              mudrd8mz David Mudrák (@mudrd8mz)
              Peer reviewer:
              Jake Dallimore Jake Dallimore
              Integrator:
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              Tester:
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona), Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                18/Jan/21

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 5 hours, 50 minutes
                  5h 50m