Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-80332

Add fallback for app launches using custom URL schemes when using auth plugins

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 4.3
    • 4.3
    • Administration
    • MOODLE_403_STABLE
    • MOODLE_403_STABLE
    • MDL-80332-403
    • MDL-80332-master
    • Hide
      Prerequisite
      1. mailhog or mailcatcher or similar solution to capture emails coming from your site to any user
      2. Moodle mobile app.
      3. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following:
        • Ensure that the phone with the mobile app and the web server are on the same network. Or
        • Expose the web server over the internet via ngrok.
      Configuration
      1. Install the attached auth plugin (externalauth) under the /auth/ directory
      2. Access as Site administration -> Notifications to your site to complete the installation
      3. Enable the plugin ·"AUTH EXTERNAL (DEBUG)" via Site administration -> Plugins -> Authentication -> Manage authentication (click on the "eye" so it is open
      4. As an admin, enable “Web services for mobile devices” on Site administration ► Advanced features
      5. Go to "Site admin -> Mobile app -> Mobile authentication" and for the field "Type of login" select the option "Via an embedded browser" and remember "Save changes"
      Test
      1. Using the mobile app, connect to the site by introducing its URL
      2. You will be asked to log in via a browser
      3. When the browser is presented, select the option "AUTH EXTERNAL (DEBUG)"
      4. You will see a new screen with two options: redirect to /my and redirect to $SESSION->wantsurl
      5. Select any user from the first (/my) and confirm that:
        • you are successfully logged in as that user and the mobile app user interface is re-launched
      6. Logout from the app and also, open the default browser on your device and ensure you are also not logged in there
      7. Access the site again using the mobile app but this time using the option $SESSION->wantsurl and confirm that:
        • you are successfully logged in as that user and the mobile app user interface is re-launched
      8. Logout from the app and also, open the default browser on your device and ensure you are also not logged in there
      9. Access with the mobile app again but this time when the browser is presented do not select the option "AUTH EXTERNAL (DEBUG)", instead, just type your username and password and click "Log in" and confirm that:
        • you are successfully logged in as that user and the mobile app user interface is re-launched
      Test with MFA
      1. Enable MFA via Site admin > Plugins > Manage multi-factor authentication
      2. Set MFA plugin enabled as Yes
      3. Enable the Email factor with a Weight of 100%
      4. Repeat the previous section steps, the difference will be that after selecting a user to log in you will be asked also for MFA via email (a code will be sent to the user email) and that after introducing the code you will be logged in on the app
      Show
      Prerequisite mailhog or mailcatcher or similar solution to capture emails coming from your site to any user Moodle mobile app. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following: Ensure that the phone with the mobile app and the web server are on the same network. Or Expose the web server over the internet via ngrok. Configuration Install the attached auth plugin (externalauth) under the /auth/ directory Access as Site administration -> Notifications to your site to complete the installation Enable the plugin ·"AUTH EXTERNAL (DEBUG)" via Site administration -> Plugins -> Authentication -> Manage authentication (click on the "eye" so it is open As an admin, enable “Web services for mobile devices” on Site administration ► Advanced features Go to "Site admin -> Mobile app -> Mobile authentication" and for the field "Type of login" select the option "Via an embedded browser" and remember "Save changes" Test Using the mobile app, connect to the site by introducing its URL You will be asked to log in via a browser When the browser is presented, select the option "AUTH EXTERNAL (DEBUG)" You will see a new screen with two options: redirect to /my and redirect to $SESSION->wantsurl Select any user from the first (/my) and confirm that: you are successfully logged in as that user and the mobile app user interface is re-launched Logout from the app and also, open the default browser on your device and ensure you are also not logged in there Access the site again using the mobile app but this time using the option $SESSION->wantsurl and confirm that: you are successfully logged in as that user and the mobile app user interface is re-launched Logout from the app and also, open the default browser on your device and ensure you are also not logged in there Access with the mobile app again but this time when the browser is presented do not select the option "AUTH EXTERNAL (DEBUG)", instead, just type your username and password and click "Log in" and confirm that: you are successfully logged in as that user and the mobile app user interface is re-launched Test with MFA Enable MFA via Site admin > Plugins > Manage multi-factor authentication Set MFA plugin enabled as Yes Enable the Email factor with a Weight of 100% Repeat the previous section steps, the difference will be that after selecting a user to log in you will be asked also for MFA via email (a code will be sent to the user email) and that after introducing the code you will be logged in on the app

    Description

      During the last year, we have received several reports about Moodle sites not properly launching the app via URL schemes, in some cases the app is not launching anymore while in others, it is working randomly, we thing this could be related also to changes in how secure cookies are treated by web browsers.

      In most cases this has happened when:

      • The Moodle site is using an auth plugin that is not part of Moodle core distribution
      • The Moodle site is using a combination of auth plugin + MFA
      • The Moodle site is using Google OAuth plus MFA
      • The Moodle site is under Cloudfare or simular solutions
      • The Moodle site is behind load balancers
      • Some recent Android versions block the redirect to the custom scheme when the app is using the inapp browser for completing the login process on the site

      We are trying to make our current support more solid to at least provide a fallback that could eventually work in some of those situations that are out of our control

      To know more about how the current login via custom URL schemes on the app work please check: MDL-53777

      The proposed idea consists of basically set a cookie indicating that a Mobile app launch is in process and once the user is logged in, ensuring that $SESSION->wantsurl is properly set thanks to that cookie.
      The cookie has a limited lifespan, basically the login process, it is just functional (for authentication) so users do not have to accept it in advance.
      Well eventually require a back port of this

      Attachments

        Issue Links

          Activity

            People

              jleyva Juan Leyva
              jleyva Juan Leyva
              Rodrigo Mady Rodrigo Mady
              Andrew Lyons Andrew Lyons
              Kim Jared Lucas Kim Jared Lucas
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 week, 1 day, 56 minutes
                  1w 1d 56m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.