Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-79487

auth refresh token is deleted when it should be used to get a new access token

XMLWordPrintable

    • MOODLE_401_STABLE, MOODLE_402_STABLE
    • MOODLE_401_STABLE, MOODLE_402_STABLE
    • MDL-79487-do-not-delete-refresh-token
    • MDL-79487-do-not-delete-refresh-token-master
    • Hide

      This test requires a site with an OAuth 2 Google service and the Google Drive repository enabled. Google can be setup using localhost, so there's no need to make your site public.

      Testing the expiry case

      1. Login as admin
      2. Go to private files and click the Google drive repository (whatever you named it)
      3. Go through the authorization flow, and confirm you can see your files listed there once you're done.
      4. Now, drop the following file into the root of your Moodle directory:
        expiretoken.php
      5. Access that file via the web. E.g. YOURSITE/expiretoken.php. You should see a message "Success! OAuth 2 access token will now expire in 5 seconds."
      6. Wait 5 seconds
      7. Now, go back to private files and click the Google drive repository again
      8. Verify that you don't need to login again and can see your files (this means the refresh token was instead used)

      Regression test repository logout and user logout

      1. Continuing on from above, open the Google drive repository
      2. Click the "Logout" icon inside the repository view
      3. Verify you can't see your files and instead see "Log in to your account" button
      4. Close the modal and refresh the page
      5. Open the Google drive repository again
      6. Verify you can't see your files and instead see "Log in to your account" button
      7. Click the button and proceed through the authorization flow again
      8. When you can see your files again, log out of Moodle (not repository logout, the main Moodle logout via the user menu)
      9. Log back in to Moodle again
      10. Go to Private files and access the Google drive repository again
      11. Verify you can see your files listed and don't need to login
      Show
      This test requires a site with an OAuth 2 Google service  and the Google Drive repository  enabled. Google can be setup using localhost, so there's no need to make your site public. Testing the expiry case Login as admin Go to private files and click the Google drive repository (whatever you named it) Go through the authorization flow, and confirm you can see your files listed there once you're done. Now, drop the following file into the root of your Moodle directory: expiretoken.php Access that file via the web. E.g. YOURSITE/expiretoken.php. You should see a message " Success! OAuth 2 access token will now expire in 5 seconds. " Wait 5 seconds Now, go back to private files and click the Google drive repository again Verify that you don't need to login again and can see your files (this means the refresh token was instead used) Regression test repository logout and user logout Continuing on from above, open the Google drive repository Click the "Logout" icon inside the repository view Verify you can't see your files and instead see "Log in to your account" button Close the modal and refresh the page Open the Google drive repository again Verify you can't see your files and instead see "Log in to your account" button Click the button and proceed through the authorization flow again When you can see your files again, log out of Moodle (not repository logout, the main Moodle logout via the user menu) Log back in to Moodle again Go to Private files and access the Google drive repository again Verify you can see your files listed and don't need to login

      Steps to reproduce:

      1. setup a nextcloud repository with the needed oauth2 service
      2. login to moodle
      3. make sure the repository works
      4. wait till the nextcloud access token expires DO NOT LOGOUT from moodle (in my case the token expires after 60min)
      5. try to access the repository again
      6. the user has to authenticate again to nextcloud and to receive a new access and refresh token

       

      Debugging:
      When the access token is expired the code runs `log_out()` https://github.com/individual-it/moodle/blob/91e6642f16492fd8a6443e1581e1b14592f74e44/lib/oauthlib.php#L464
      this will not call `\oauth2_client::log_out`but `\core\oauth2\client::log_out` and that then deletes the refresh token from the database https://github.com/individual-it/moodle/blob/91e6642f16492fd8a6443e1581e1b14592f74e44/lib/classes/oauth2/client.php#L457-L461
       
      It works fine if the user logs out from moodle before the code in https://github.com/individual-it/moodle/blob/91e6642f16492fd8a6443e1581e1b14592f74e44/lib/oauthlib.php#L464 is run again. The access token is only stored in the session, so if the session is deleted the code will not pass through `if (isset($this->accesstoken->token)) {` in https://github.com/individual-it/moodle/blob/91e6642f16492fd8a6443e1581e1b14592f74e44/lib/oauthlib.php#L470 that makes `\oauth2_client::is_logged_in` return `false` and that again makes `\core\oauth2\client::is_logged_in` to get a new access token using the refresh token
       
      So if the token time is relatively long and the session of the user short it does not make any difference, but I'm working on a repository for owncloud infinite scale and I face a toke time of 300s, so the problem is much bigger.

            individual-it Artur Neumann
            individual-it Artur Neumann
            Jake Dallimore Jake Dallimore
            Jun Pataleta Jun Pataleta
            Kim Jared Lucas Kim Jared Lucas
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 36 minutes
                1h 36m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.