Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73194

Allow providing a tenant for Microsoft/Azure OAuth login

    XMLWordPrintable

Details

    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 3.11.4
    • None
    • Authentication
    • None
    • MOODLE_311_STABLE

    Description

      Hey,

      we use our Microsoft/Azure OAuth login with Moodle at our university and the first login page at https://login.microsoftonline.com/ shows the generic Microsoft logo instead of our university logo. This is not ideal, since this lowers the barrier against phishing attacks on our staff (and students).

      So I had a look into the code and found that the endpoint URLs for the OAuth endpoints are hardcoded within core\oauth2\service\microsoft::create_endpoints and core\oauth2\api::create_endpoints_for_microsoft. To support the Azure tenant, the https://login.microsoftonline.com/common prefix of the authorization_endpoint and the token_endpoint must be changed to a URL with the tenant ID from Azure instead of the common tenant keyword: https://login.microsoftonline.com/TENANT_ID.

      So to solve that, the config for OAuth issuers had to be extended to allow the endpoint base URL to be overridden by configuration. There is a issuer base url config already, but that doesn't affect the endpoints used for the OAuth login flow (quite irritating btw.). I'm not within the Moodle code at all, but the solution seems to be very simple, as the core\oauth2\service\microsoft::create_endpoints and core\oauth2\api::create_endpoints_for_microsoft methods already have access to the issuer object, so all that would be needed is a new config option for the issuer object and an implementation to use that or fallback to the default "common" endpoint URLs. Maybe the existing "issuer base url" setting could be used for that purpose like it is implemented for NextCloud?

      What do you think? Would that be possible? Would such an improvement be welcome? I could provide a PR for that, but at first, I have to read and understand your rules for that.

      Attachments

        Activity

          People

            Unassigned Unassigned
            GregorMeyer Gregor Meyer
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: