Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-70430

OAuth2 system account's refresh token does not get updated due to a typo

XMLWordPrintable

    • MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_400_STABLE
    • MOODLE_310_STABLE
    • MDL-70430-master-oauth2refreshtoken
    • Hide

      Note

      The fix is so obvious that I don't actually think it is worth testing. In case you insist, here it goes.

      Testing requirements

      • Moodle site running on HTTPS
      • Account at some of the supported OAuth2 providers (Google, Facebook, Microsoft)
      • Direct SQL database access and ability to run queries there

      Steps to reproduce and/or test the fix

      1. Log in as admin
      2. Go to > Site administration > Server > OAuth 2 services
      3. Create a new OAuth2 service of your choice (e.g. Google) using the documented instructions
      4. Connect a system (service) account.
      5. Check and note the value of the refreshtoken field in the oauth2_system_account
      6. Delete the access token from the oauth2_access_token table
      7. Execute the scheduled task core\oauth2\refresh_system_tokens_task
      8. TEST - Check the value of the refreshtoken field in the oauth2_system_account and make sure it has been updated
      Show
      Note The fix is so obvious that I don't actually think it is worth testing. In case you insist, here it goes. Testing requirements Moodle site running on HTTPS Account at some of the supported OAuth2 providers (Google, Facebook, Microsoft) Direct SQL database access and ability to run queries there Steps to reproduce and/or test the fix Log in as admin Go to > Site administration > Server > OAuth 2 services Create a new OAuth2 service of your choice (e.g. Google) using the documented instructions Connect a system (service) account. Check and note the value of the refreshtoken field in the oauth2_system_account Delete the access token from the oauth2_access_token table Execute the scheduled task core\oauth2\refresh_system_tokens_task TEST - Check the value of the refreshtoken field in the oauth2_system_account and make sure it has been updated

      When a system account is successfully connected via core\oauth2\api::connect_system_account(), it receives a refresh token that is stored in the oauth2_system_account table.

      This refresh token is supposed to be used to get a fresh access token. The OAuth2 client is supposed to POST to the token endpoint and provide the stored value of the refresh token. As a response, it receives a new access token and a new refresh token. The client is expected to store this new refresh token and use it next time to get a new access token.

      While working on MDLSITE-6037 I discovered that this exchange mechanism does not work in Moodle 3.10. That issue is about integrating Xero.com with Moodle. Xero uses common short-lived access tokens that expiry after 30 minutes, and long-lived refresh tokens that expiry after 60 days - or once they are used which comes first.

      But I started to get "Could not upgrade oauth token" due to "invalid grant" response from Xero and the system account stopped working unless it was re-authorised manually by the user via the common OAuth2 authorisation flow.

      It took me a while to debug this and the reason is actually simple. There is a typo in the code - missing underscore.

      The method client::exchange_refresh_token() returns an array with both tokens - access_token and refresh_token.

      But the caller client::upgrade_refresh_token() then checked if there is refreshtoken returned, not refresh_token. As a result, the new refresh token is never updated.

            mudrd8mz David Mudrák (@mudrd8mz)
            mudrd8mz David Mudrák (@mudrd8mz)
            Jake Dallimore Jake Dallimore
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 5 hours, 50 minutes
                5h 50m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.