Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-77382

OAuth 2: broken error handling when denying access to scopes during authorization code flow

    XMLWordPrintable

Details

    • MOODLE_400_STABLE, MOODLE_401_STABLE
    • MOODLE_400_STABLE, MOODLE_401_STABLE
    • MDL-77382-400
    • MDL-77382-401
    • MDL-77382-master
    • Hide
      1. Perform the testing instructions in MDL-71254
      2. Try to sign in with the microsoft sso again, this time selecting 'Yes' when prompted
      3. Verify that you're signed in to the Moodle instance
      4. Set up a Google OAuth 2 issuer +  Google repository (see https://docs.moodle.org/401/en/Google_Drive_repository)
      5. Go to private files and click to add a new file
      6. Select the Google repository
      7. Click "Log in to your account" (you'll get a popup window)
      8. When/if prompted, pick the relevant google account
      9. When prompted to approve scopes, click "Cancel" instead of "Approve"
      10. Verify:
        • The popup closes
        • You can still see "Log in to your account" button in the main window
        • There are no javascript console errors in the main window (check with dev tools)
      Show
      Perform the testing instructions in MDL-71254 Try to sign in with the microsoft sso again, this time selecting 'Yes' when prompted Verify that you're signed in to the Moodle instance Set up a Google OAuth 2 issuer +  Google repository (see https://docs.moodle.org/401/en/Google_Drive_repository ) Go to private files and click to add a new file Select the Google repository Click "Log in to your account" (you'll get a popup window) When/if prompted, pick the relevant google account When prompted to approve scopes, click "Cancel" instead of "Approve" Verify: The popup closes You can still see "Log in to your account" button in the main window There are no javascript console errors in the main window (check with dev tools)
    • 1
    • Team Alpha - Sprint 2 I1-2023

    Description

      Problem

      This is easiest to see via a quick replication:

      1. Set up a Google OAuth 2 issuer
      2. Set up the Googledocs repository, setting the google issuer you created in step 1.
      3. Go to private files and click to add a new file
      4. Select the Google repository
      5. Click "Log in to your account" (you'll get a popup window)
      6. When/if prompted, pick the relevant google account
      7. When prompted to approve scopes, click "Cancel" instead of "Approve"
        Expected: The popup closes and you're shown {}something{} meaningful
        Actual: The popup remains open, and redirect you to login, with the message "You're already signed in as user x..." etc.
        E.g.

      This is awfully clumsy.

      This seems to be directly related to MDL-71254 (certainly that issue didn't consider the 'internal services' use case at all), but has perhaps been a problem ever since the inception of the google/microsoft, etc. sso. In any case, it's a problem on admin/oauth2callback.php.

      Solution

      What should happen? Errors, like the error that's passed back when you deny an auth request, should be sent back to the calling code (in this case repository) when the user is an authenticated user. It's up to the calling code to handle that (and close popups, cleanup, etc). When we're not logged in, we can then safely redirect to the login page as we do now.

      Attachments

        Issue Links

          has a non-specific relationship to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. MDL-75207 Moodle LMS / MoodleNet integration project - Phase 1

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Improvement - An enhancement to an existing Moodle feature. MDL-71254 OAuth2: Display login errors on the login page

          • Major - Major loss of function, incorrect output
          • Closed
          is a regression caused by

          Improvement - An enhancement to an existing Moodle feature. MDL-58090 OAuth 2 authentication upgrades for Moodle.

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Activity

            People

              jaked Jake Dallimore
              jaked Jake Dallimore
              Meirza Meirza
              Huong Nguyen Huong Nguyen
              Ron Carl Alfon Yu Ron Carl Alfon Yu
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                24/Apr/23

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 2 hours, 36 minutes
                  1d 2h 36m