Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71612

OAuth 2 "Login only" feature broke persistent sessions for certain repositories

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 3.11
    • 3.11
    • Authentication
    • MOODLE_311_STABLE
    • MOODLE_311_STABLE
    • MDL-71612-master
    • Hide

      Verify persistent sessions

      1. Set up Google as a new OAuth2 service, with "This service will be used" set to "Internal Services Only".
      2. Verify you see the following 4 form fields:
        • "Scopes included in a login request."
        • "Scopes included in a login request for offline access."
        • "Additional parameters included in a login request."
        • "Additional parameters included in a login request for offline access."
      3. Set up Google Drive repo - linking to the service you just created.
      4. Go to private files, and log into the Google Drive repo
      5. Log out of Moodle
      6. Log back in to Moodle
      7. Go to private files > Google Drive Repo
      8. Verify you are signed in to Google Drive repo automatically and that you can view your files.

      Verify form hideIfs

      1. Go back to the admin > OAuth 2 page
      2. Click to configure a new Google service.
      3. Set "This service will be used" to "Login page only"
      4. Verify you see two extra form fields displayed
      5. Set "This service will be used" to "Login page and internal services"
      6. Verify the two extra form fields are still displayed
      Show
      Verify persistent sessions Set up Google as a new OAuth2 service, with "This service will be used" set to "Internal Services Only". Verify you see the following 4 form fields: "Scopes included in a login request." "Scopes included in a login request for offline access." "Additional parameters included in a login request." "Additional parameters included in a login request for offline access." Set up Google Drive repo - linking to the service you just created. Go to private files, and log into the Google Drive repo Log out of Moodle Log back in to Moodle Go to private files > Google Drive Repo Verify you are signed in to Google Drive repo automatically and that you can view your files. Verify form hideIfs Go back to the admin > OAuth 2 page Click to configure a new Google service. Set "This service will be used" to "Login page only" Verify you see two extra form fields displayed Set "This service will be used" to "Login page and internal services" Verify the two extra form fields are still displayed

      This is a regression caused by MDL-71017, which peterdias just discovered while working on a dropbox service (API update). Good pickup, Pete!

      Basically, after 71017 landed, we now have a select menu and can pick the "usage" type for the service. Selecting "Internal services only" removes form elements from the service configuration form. Removal of the "Additional parameters included in a login request for offline access" field from the form is not ideal, since this contains params needed to request refresh tokens to facilitate persistent sessions in various repositories (Nextcloud, Google to name a few). Why this was removed, I don't know.

      We need to be able to set these params (or in the case of Google, allow the defaults to be used and saved) for services marked "Internal services only", so that refresh tokens can be requested and returned when users log in to their repository instances (Google Drive for example). Then, the refresh tokens can be subsequently exchanged for new access tokens allowing seamless access across Moodle sessions (until revoked by the user). This worked fine in 3.10

      To replicate:

      1. Set up Google as a new OAuth2 client, with "This service will be used" set to "Internal Services Only".
      2. Set up Google Drive repo - linking to the service you just created.
      3. Go to private files, and log into the Google Drive repo
      4. Log out of Moodle
      5. Log back in to Moodle
      6. Go to private files > Google Drive Repo
        Actual: Notice you need to log in again
        Expected: You are logged in automatically

      Marking as must fix

            jaked Jake Dallimore
            jaked Jake Dallimore
            Peter Dias Peter Dias
            Jun Pataleta Jun Pataleta
            Ilya Tregubov Ilya Tregubov
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 5 minutes
                2h 5m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.