search

microsoft / o365-moodle

Office 365 and Azure Active Directory plugins for Moodle
GNU General Public License v3.0
184 stars 138 forks source link

Unable to get a user token to access Moodle web services when using oidc auth code flow #1888

Open charlesmulder opened 3 years ago

charlesmulder commented 3 years ago

When using Moodle manual login I am able to get a Moodle web service token for a specific user.

MOODLE_USERNAME=
MOODLE_PASSWORD=
$MOODLE_WEBSERVICE=moodle_mobile_app

curl "http://moodle.example.com/login/token.php?username=$MDL_USERNAME&password=$MOODLE_PASSWORD&service=$MOODLE_WEBSERVICE" | jq

We are using oidc auth code flow to allow for single signon, but also require fetching Moodle webservice tokens from Moodle.

My expectation was that I would be able to request a Moodle token by including an authorization header containing a bearer token from identity provider in token request. Something along the lines of

BEARER_TOKEN=
curl -H "Authorization: Bearer $BEARER_TOKEN" "http://moodle.example.com/login/token.php?username=$MOODLE_USERNAME&password=$MOODLE_PASSWORD&service=$MOODLE_WEBSERVICE

Or possibly replace the Moodle token with my bearer token eg. 

curl --data "wstoken=$BEARER_TOKEN&wsfunction=core_course_get_courses&moodlewsrestformat=json" "http://moodle.example.com/webservice/rest/server.php"

However, the only way to retrieve a token is by adding code as a query parameter containing the auth code. 

$AUTHCODE=
curl "http://moodle.example.omc/login/token.php?username=$MOODLE_USERNAME&password=$MOODLE_PASSWORD&service=$MOODLE_WEBSERVICE&code=$AUTHCODE"

We are using Keycloak as our identity provider. The auth code is made up of 3 uuid's concatenated by a full-stop. The 2nd segment is a session id and the 3rd segment is the client id. However, we haven't been able to figure out what the 1st segment is.

Would appreciate to hear your thoughts on the matter.

Thanks for reading. C

weilai-irl commented 3 years ago

Hi @charlesmulder,

I understand the starting point of your question. I haven't tried to use auth_oidc along with the mobile app, but your point seems to be valid.

However, it looks like the changes required are in /login/token.php, which are out of the scope and control of the Microsoft plugins. Maybe try to raise it in Moodle tracker? I suppose the problem you mentioned would apply to all authentication plugins that don't store password in the Moodle DB, so there's a chance that there are already similar questions in Moodle tracker or forum. You may want to check that first.

Regards, Lai

charlesmulder commented 3 years ago

Dear @weilai-irl

Thank you for your response. I will do as you suggested and revert with relevant feedback.

C

charlesmulder commented 3 years ago

@weilai-irl don't find any relevant issues on moodle tracker. I'll create a new one. Any suggestions or improvements to improve clarity of issue description is appreciated.

charlesmulder commented 3 years ago

Issue on Moodle tracker https://tracker.moodle.org/browse/MDL-73071

SouheirSiren commented 1 year ago

@charlesmulder did you find a solution for your problem? If yes can you please share because I'm trying to do the exact same right now but I can't figure it out

charlesmulder commented 1 year ago

Hi @SouheirSiren

Don't recall resolving this issue. Think I settled for using Moodle tokens to query the Moodle API.