-
Bug
-
Resolution: Fixed
-
Major
-
3.10, 3.11, 4.0
-
MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_400_STABLE
-
MOODLE_310_STABLE
-
MDL-70430-master-oauth2refreshtoken -
When a system account is successfully connected via core\oauth2\api::connect_system_account(), it receives a refresh token that is stored in the oauth2_system_account table.
This refresh token is supposed to be used to get a fresh access token. The OAuth2 client is supposed to POST to the token endpoint and provide the stored value of the refresh token. As a response, it receives a new access token and a new refresh token. The client is expected to store this new refresh token and use it next time to get a new access token.
While working on MDLSITE-6037 I discovered that this exchange mechanism does not work in Moodle 3.10. That issue is about integrating Xero.com with Moodle. Xero uses common short-lived access tokens that expiry after 30 minutes, and long-lived refresh tokens that expiry after 60 days - or once they are used which comes first.
But I started to get "Could not upgrade oauth token" due to "invalid grant" response from Xero and the system account stopped working unless it was re-authorised manually by the user via the common OAuth2 authorisation flow.
It took me a while to debug this and the reason is actually simple. There is a typo in the code - missing underscore.
The method client::exchange_refresh_token() returns an array with both tokens - access_token and refresh_token.
But the caller client::upgrade_refresh_token() then checked if there is refreshtoken returned, not refresh_token. As a result, the new refresh token is never updated.
- blocks
-
MDLSITE-6037 Xero integration library has been deprecated
- Resolved
- has been marked as being related by
-
MDL-70282 Improve OAuth 2 exception information
- Closed
- is a regression caused by
-
MDL-59510 Keep OAuth 2 connections alive across users' sessions
- Closed