Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71612

OAuth 2 "Login only" feature broke persistent sessions for certain repositories

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.11
    • 3.11
    • Authentication
    • MOODLE_311_STABLE
    • MOODLE_311_STABLE
    • MDL-71612-311
    • MDL-71612-master
    • Hide

      Verify persistent sessions

      1. Set up Google as a new OAuth2 service, with "This service will be used" set to "Internal Services Only".
      2. Verify you see the following 4 form fields:
        • "Scopes included in a login request."
        • "Scopes included in a login request for offline access."
        • "Additional parameters included in a login request."
        • "Additional parameters included in a login request for offline access."
      3. Set up Google Drive repo - linking to the service you just created.
      4. Go to private files, and log into the Google Drive repo
      5. Log out of Moodle
      6. Log back in to Moodle
      7. Go to private files > Google Drive Repo
      8. Verify you are signed in to Google Drive repo automatically and that you can view your files.

      Verify form hideIfs

      1. Go back to the admin > OAuth 2 page
      2. Click to configure a new Google service.
      3. Set "This service will be used" to "Login page only"
      4. Verify you see two extra form fields displayed
      5. Set "This service will be used" to "Login page and internal services"
      6. Verify the two extra form fields are still displayed
      Show
      Verify persistent sessions Set up Google as a new OAuth2 service, with "This service will be used" set to "Internal Services Only". Verify you see the following 4 form fields: "Scopes included in a login request." "Scopes included in a login request for offline access." "Additional parameters included in a login request." "Additional parameters included in a login request for offline access." Set up Google Drive repo - linking to the service you just created. Go to private files, and log into the Google Drive repo Log out of Moodle Log back in to Moodle Go to private files > Google Drive Repo Verify you are signed in to Google Drive repo automatically and that you can view your files. Verify form hideIfs Go back to the admin > OAuth 2 page Click to configure a new Google service. Set "This service will be used" to "Login page only" Verify you see two extra form fields displayed Set "This service will be used" to "Login page and internal services" Verify the two extra form fields are still displayed

    Description

      This is a regression caused by MDL-71017, which peterdias just discovered while working on a dropbox service (API update). Good pickup, Pete!

      Basically, after 71017 landed, we now have a select menu and can pick the "usage" type for the service. Selecting "Internal services only" removes form elements from the service configuration form. Removal of the "Additional parameters included in a login request for offline access" field from the form is not ideal, since this contains params needed to request refresh tokens to facilitate persistent sessions in various repositories (Nextcloud, Google to name a few). Why this was removed, I don't know.

      We need to be able to set these params (or in the case of Google, allow the defaults to be used and saved) for services marked "Internal services only", so that refresh tokens can be requested and returned when users log in to their repository instances (Google Drive for example). Then, the refresh tokens can be subsequently exchanged for new access tokens allowing seamless access across Moodle sessions (until revoked by the user). This worked fine in 3.10

      To replicate:

      1. Set up Google as a new OAuth2 client, with "This service will be used" set to "Internal Services Only".
      2. Set up Google Drive repo - linking to the service you just created.
      3. Go to private files, and log into the Google Drive repo
      4. Log out of Moodle
      5. Log back in to Moodle
      6. Go to private files > Google Drive Repo
        Actual: Notice you need to log in again
        Expected: You are logged in automatically

      Marking as must fix

      Attachments

        Issue Links

          Activity

            People

              jaked Jake Dallimore
              jaked Jake Dallimore
              Peter Dias Peter Dias
              Jun Pataleta Jun Pataleta
              Ilya Tregubov Ilya Tregubov
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Sujith Haridasan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                17/May/21

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours, 5 minutes
                  2h 5m