Allow Users to login directly to moodle or with Auth

[baffourt]

There is a need in my scenario to allow existing users to log in to moodle either directly or through this plugin. I don't have a problem logging in with moodle_auth_userkey. The problem occurs when the existing user after going through this login in a future situation has to log in to moodle directly without going through here. In that situation, moodle complains about invalid login and does not allow user unless the user continues to go through with auth_userkey

[dmitriim]

Hi @baffourt I think it's by design so you either let users login externally or internally. Do you have any example of external auth methods that allow that?

[baffourt]

Ok, unfortunately, I don't have any example of that. I just had a user requesting that just yesterday when he used our internal app to login through auth_userkey and then wanted to login directly to moodle later on but his login credentials no longer worked

[dmitriim]

Hmmm, I'm on the fence here. It sounds like a bug to me.

So it looks like we let users with other auth types to login using auth_userkey, but when we log them in we set their auth method to userkey which prevents them to login using an original auth method.

It feels like we shouldn't let internal users to login using auth key or should not update their auth method.

[dmitriim]

Seems like this is similar to https://github.com/catalyst/moodle-auth_userkey/issues/26 and we even had an attempt add a new setting for that here https://github.com/catalyst/moodle-auth_userkey/pull/25

[dmitriim]

So what we want here is:

• a new admin setting that will enable/disable users with other types to be logged in using auth_userkey
• fix a bug with updating auth method on user log in

PR is welcome!

[baffourt]

I don't think this as a bug, I rather think users who had original auth method different from auth_userkey should still be allowed to login with auth_userkey but then update the auth method on log out to the original auth method. If there's a way to monitor log out from moodle, if user does not log out and just closes the browser, then we maintain the auth_userkey method for him until he logs out.

And maintain users who don't originally have an auth method be on auth_userkey.

Or let us not change the auth method at all for users with different auth type if we can still use auth_userkey to login such user without changing the auth type

Does this make sense?

[dmitriim]

Well, it does and doesn't :) Moodle has always incorrectly conflated identity vs authentication. So I don't think we should manipulate auth methods unless we are actually creating a user.