Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-77382

OAuth 2: broken error handling when denying access to scopes during authorization code flow

    XMLWordPrintable

Details

    • MOODLE_400_STABLE, MOODLE_401_STABLE
    • MOODLE_400_STABLE, MOODLE_401_STABLE
    • MDL-77382-401
    • MDL-77382-master
    • Hide
      1. Perform the testing instructions in MDL-71254
      2. Try to sign in with the microsoft sso again, this time selecting 'Yes' when prompted
      3. Verify that you're signed in to the Moodle instance
      4. Set up a Google OAuth 2 issuer +  Google repository (see https://docs.moodle.org/401/en/Google_Drive_repository)
      5. Go to private files and click to add a new file
      6. Select the Google repository
      7. Click "Log in to your account" (you'll get a popup window)
      8. When/if prompted, pick the relevant google account
      9. When prompted to approve scopes, click "Cancel" instead of "Approve"
      10. Verify:
        • The popup closes
        • You can still see "Log in to your account" button in the main window
        • There are no javascript console errors in the main window (check with dev tools)
      Show
      Perform the testing instructions in MDL-71254 Try to sign in with the microsoft sso again, this time selecting 'Yes' when prompted Verify that you're signed in to the Moodle instance Set up a Google OAuth 2 issuer +  Google repository (see https://docs.moodle.org/401/en/Google_Drive_repository ) Go to private files and click to add a new file Select the Google repository Click "Log in to your account" (you'll get a popup window) When/if prompted, pick the relevant google account When prompted to approve scopes, click "Cancel" instead of "Approve" Verify: The popup closes You can still see "Log in to your account" button in the main window There are no javascript console errors in the main window (check with dev tools)
    • 1
    • Team Alpha - Sprint 2 I1-2023

    Description

      Problem

      This is easiest to see via a quick replication:

      1. Set up a Google OAuth 2 issuer
      2. Set up the Googledocs repository, setting the google issuer you created in step 1.
      3. Go to private files and click to add a new file
      4. Select the Google repository
      5. Click "Log in to your account" (you'll get a popup window)
      6. When/if prompted, pick the relevant google account
      7. When prompted to approve scopes, click "Cancel" instead of "Approve"
        Expected: The popup closes and you're shown {}something{} meaningful
        Actual: The popup remains open, and redirect you to login, with the message "You're already signed in as user x..." etc.
        E.g.

      This is awfully clumsy.

      This seems to be directly related to MDL-71254 (certainly that issue didn't consider the 'internal services' use case at all), but has perhaps been a problem ever since the inception of the google/microsoft, etc. sso. In any case, it's a problem on admin/oauth2callback.php.

      Solution

      What should happen? Errors, like the error that's passed back when you deny an auth request, should be sent back to the calling code (in this case repository) when the user is an authenticated user. It's up to the calling code to handle that (and close popups, cleanup, etc). When we're not logged in, we can then safely redirect to the login page as we do now.

      Attachments

        1. auth_code_deny_problem.jpg
          83 kB
          Jake Dallimore
        2. MDL-77382.png
          495 kB
          Ron Carl Alfon Yu

        Issue Links

          Activity

            People

              jaked Jake Dallimore
              jaked Jake Dallimore
              Meirza Meirza
              Huong Nguyen Huong Nguyen
              Ron Carl Alfon Yu Ron Carl Alfon Yu
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 2 hours, 36 minutes
                  1d 2h 36m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.