-
Bug
-
Resolution: Fixed
-
Minor
-
4.1.5, 4.2.2
-
MOODLE_401_STABLE, MOODLE_402_STABLE
-
MOODLE_401_STABLE, MOODLE_402_STABLE
-
MDL-79487-do-not-delete-refresh-token-master -
Steps to reproduce:
- setup a nextcloud repository with the needed oauth2 service
- login to moodle
- make sure the repository works
- wait till the nextcloud access token expires DO NOT LOGOUT from moodle (in my case the token expires after 60min)
- try to access the repository again
- the user has to authenticate again to nextcloud and to receive a new access and refresh token
Debugging:
When the access token is expired the code runs `log_out()` https://github.com/individual-it/moodle/blob/91e6642f16492fd8a6443e1581e1b14592f74e44/lib/oauthlib.php#L464
this will not call `\oauth2_client::log_out`but `\core\oauth2\client::log_out` and that then deletes the refresh token from the database https://github.com/individual-it/moodle/blob/91e6642f16492fd8a6443e1581e1b14592f74e44/lib/classes/oauth2/client.php#L457-L461
It works fine if the user logs out from moodle before the code in https://github.com/individual-it/moodle/blob/91e6642f16492fd8a6443e1581e1b14592f74e44/lib/oauthlib.php#L464 is run again. The access token is only stored in the session, so if the session is deleted the code will not pass through `if (isset($this->accesstoken->token)) {` in https://github.com/individual-it/moodle/blob/91e6642f16492fd8a6443e1581e1b14592f74e44/lib/oauthlib.php#L470 that makes `\oauth2_client::is_logged_in` return `false` and that again makes `\core\oauth2\client::is_logged_in` to get a new access token using the refresh token
So if the token time is relatively long and the session of the user short it does not make any difference, but I'm working on a repository for owncloud infinite scale and I face a toke time of 300s, so the problem is much bigger.