Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-75039

OAuth2 allow claims to be retrieved from id_token

    XMLWordPrintable

Details

    • Improvement
    • Status: Waiting for peer review
    • Minor
    • Resolution: Unresolved
    • 3.11.7, 4.0.1
    • None
    • Authentication
    • MOODLE_311_STABLE, MOODLE_400_STABLE
    • feature/claims-from-idtoken
    • Hide
      1. Configure an OAuth provider using the procedure here : https://docs.moodle.org/400/en/OAuth_2_services. For this tests, I'm using Keycloak.
      2. Under Site Administration/Server/OAuth2 services, click on "Configure user field mapping" on the service line
      3. Add a new field mapping that maps the external field "iss" to the internal field "description"
      4. Save
      5. Open another browser / an in-private session of your browser
      6. Log in with your OAuth service that you just edited.
      7. In the admin browser, under Site Administration/Users/Browse list of users/<the user that you logged in with>/Edit profile, confirm that the description is set to the issuer's url. The "iss" claim isn't exposed from the userinfo endpoint, that means that the claim is correctly retrieved from the id token
      8. Under Site Administration/Server/OAuth2 services, click on "configure endpoint" for the OAuth service
      9. Delete the userinfo_endpoint and confirm
      10. In the OAuth services page, the "Login" check should still be green
      11. In the user web browser, log out and log in with a new user that never logged in before
      12. Confirm that the user is properly logged in
      Show
      Configure an OAuth provider using the procedure here :  https://docs.moodle.org/400/en/OAuth_2_services . For this tests, I'm using Keycloak. Under Site Administration/Server/OAuth2 services, click on "Configure user field mapping" on the service line Add a new field mapping that maps the external field "iss" to the internal field "description" Save Open another browser / an in-private session of your browser Log in with your OAuth service that you just edited. In the admin browser, under Site Administration/Users/Browse list of users/<the user that you logged in with>/Edit profile, confirm that the description is set to the issuer's url. The "iss" claim isn't exposed from the userinfo endpoint, that means that the claim is correctly retrieved from the id token Under Site Administration/Server/OAuth2 services, click on "configure endpoint" for the OAuth service Delete the userinfo_endpoint and confirm In the OAuth services page, the "Login" check should still be green In the user web browser, log out and log in with a new user that never logged in before Confirm that the user is properly logged in

    Description

      Currently, Moodle only allows claims to be retrieved from the userinfo endpoints. Sometimes, some implementations exposes user info directly on the id_token, and not in the userinfo endpoint, like Active Directory Federated Services (which only exposes the user id through it and calls itself compliant with the spec).

      ADFS however sets everything that is needed in the id_token.

       

      I suggest that claims from the id_token and the userinfo endpoints should be merged before user info are extracted.

      Attachments

        Activity

          People

            Unassigned Unassigned
            jeremyvignelles jeremyVignelles
            Jake Dallimore, Mathew May, Mihail Geshoski
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 minute
                1m