search

GopalSharma / moodle-auth_azureb2c

The Azure AD B2C Connect plugin provides registering of a new user and single-sign-on functionality using configurable identity providers, scope and custom policies of Azure B2C.
GNU General Public License v3.0
2 stars 7 forks source link

sync existing moodle users on login #14

Open pugwashmsc opened 2 years ago

pugwashmsc commented 2 years ago

Moodle 3.11

Authentication plugin auth_azureb2c

SSO has been achieved.

A user creates their Azure B2C account. Moodle is configured to use Azure B2C sign on page via auth_azureb2c.

Existing moodle user creates B2C account using same email address as stored in moodle.

User logs into moodle through Azure B2C login page and is passed through (logged in) to moodle. However, this creates a second account for the user in moodle, so they cannot access their existing courses and data.

Should the auth_azureb2c sync accounts with existing user accounts?

If not, how can this be done?

emyb commented 2 years ago

Could something be done in the createtoken function similar to

https://github.com/GopalSharma/moodle-auth_azureb2c/blob/927b006d33b2c1b06812ff8ad762d66bb5f31ef7/classes/loginflow/base.php#L119-L123

https://github.com/GopalSharma/moodle-auth_azureb2c/blob/927b006d33b2c1b06812ff8ad762d66bb5f31ef7/classes/loginflow/base.php#L460-L464

        // Determine remote username. Use 'upn' if available (Azure-specific), or fall back to standard 'sub'.
        $azureb2cusername = $idtoken->claim('emails');
        if (!empty($azureb2cusername)) {
            $azureb2cusername = $azureb2cusername[0];
             // Or.
            $azureb2cusername = reset($azureb2cusername);
        }
        if (empty($azureb2cusername)) {
            $azureb2cusername = $idtoken->claim('upn');
        }
        if (empty($azureb2cusername)) {
            $azureb2cusername = $idtoken->claim('sub');
        }

There are a who bunch of other places (if this is a sensible idea) that will need updating just from looking around where this is happening. Possibly some upgrade script too?

A setting may be sensible so that admins can control what is being used for the username. Something else to ensure that characters in an email address can be used for usernames also. Maybe the setting will mean that an upgrade script isn't required so as users aren't forced to switch.

I am interested in seeing an addition like this for new instances rather than exisiting Moodle instances.

geoffreyvanwyk commented 1 year ago

@pugwashmsc it appears that your Moodle allows different accounts to have the same email address. To see if this is the case, go to Site Administration / Plugins / Authentication / Manage Authentication, then see whether setting Allow accounts with same email (allowaccountssameemail) is enabled. By default it is disabled, which means somebody made the conscience decision to enable it, so it is probably best not to change that.

To get around this issue, without changing that setting, you could remove the new duplicate user, then change the Choose an Authentication Method field of the original user to Azure AD B2C Connect. When the user logs in via B2C again, they should be logged into their original account.