Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-77382

OAuth 2: broken error handling when denying access to scopes during authorization code flow

XMLWordPrintable

    • MOODLE_400_STABLE, MOODLE_401_STABLE
    • MOODLE_400_STABLE, MOODLE_401_STABLE
    • MDL-77382-401
    • MDL-77382-master
    • Hide
      1. Perform the testing instructions in MDL-71254
      2. Try to sign in with the microsoft sso again, this time selecting 'Yes' when prompted
      3. Verify that you're signed in to the Moodle instance
      4. Set up a Google OAuth 2 issuer +  Google repository (see https://docs.moodle.org/401/en/Google_Drive_repository)
      5. Go to private files and click to add a new file
      6. Select the Google repository
      7. Click "Log in to your account" (you'll get a popup window)
      8. When/if prompted, pick the relevant google account
      9. When prompted to approve scopes, click "Cancel" instead of "Approve"
      10. Verify:
        • The popup closes
        • You can still see "Log in to your account" button in the main window
        • There are no javascript console errors in the main window (check with dev tools)
      Show
      Perform the testing instructions in MDL-71254 Try to sign in with the microsoft sso again, this time selecting 'Yes' when prompted Verify that you're signed in to the Moodle instance Set up a Google OAuth 2 issuer +  Google repository (see https://docs.moodle.org/401/en/Google_Drive_repository ) Go to private files and click to add a new file Select the Google repository Click "Log in to your account" (you'll get a popup window) When/if prompted, pick the relevant google account When prompted to approve scopes, click "Cancel" instead of "Approve" Verify: The popup closes You can still see "Log in to your account" button in the main window There are no javascript console errors in the main window (check with dev tools)
    • 1
    • Team Alpha - Sprint 2 I1-2023

      Problem

      This is easiest to see via a quick replication:

      1. Set up a Google OAuth 2 issuer
      2. Set up the Googledocs repository, setting the google issuer you created in step 1.
      3. Go to private files and click to add a new file
      4. Select the Google repository
      5. Click "Log in to your account" (you'll get a popup window)
      6. When/if prompted, pick the relevant google account
      7. When prompted to approve scopes, click "Cancel" instead of "Approve"
        Expected: The popup closes and you're shown {}something{} meaningful
        Actual: The popup remains open, and redirect you to login, with the message "You're already signed in as user x..." etc.
        E.g.

      This is awfully clumsy.

      This seems to be directly related to MDL-71254 (certainly that issue didn't consider the 'internal services' use case at all), but has perhaps been a problem ever since the inception of the google/microsoft, etc. sso. In any case, it's a problem on admin/oauth2callback.php.

      Solution

      What should happen? Errors, like the error that's passed back when you deny an auth request, should be sent back to the calling code (in this case repository) when the user is an authenticated user. It's up to the calling code to handle that (and close popups, cleanup, etc). When we're not logged in, we can then safely redirect to the login page as we do now.

            jaked Jake Dallimore
            jaked Jake Dallimore
            Meirza Meirza
            Huong Nguyen Huong Nguyen
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 2 hours, 36 minutes
                1d 2h 36m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.