M365 Integration - Error when attempting to provide "Admin consent"

[BloodBaz]

Hello,

We're in the process of setting up Microsoft 365 Integration and are following the steps outlined in this well written documentation here: https://docs.moodle.org/311/en/Microsoft_365

We've gone through the process of creating the "Application" in Azure and used the PowerShell script to configure it and generate an AppID and Token.

We're now on Step 4.1 of Configure the Microsoft 365 support plugin where we log into an Azure with an Administrator account to approve new permissions. After logging in, the browser sits on the URL "https://login.microsoftonline.com/common/Consent/Set" for about 30 seconds and then redirected back to Moodle "https://www2.derbylearn.net/auth/oidc/" with the following error in a pink box:

Error in OpenID Connect. Please check logs for more information. More information about this error [https://docs.moodle.org/311/en/error/auth_oidc/erroroidccall]

I've checked the php error log but there's no additional information there:

[03-Dec-2021 12:13:11 Europe/London] Default exception handler: Unknown state. Debug: 

Error code: errorauthunknownstate
* line 198 of \auth\oidc\classes\loginflow\authcode.php: moodle_exception thrown
* line 114 of \auth\oidc\classes\loginflow\authcode.php: call to auth_oidc\loginflow\authcode->handleauthresponse()
* line 165 of \auth\oidc\auth.php: call to auth_oidc\loginflow\authcode->handleredirect()
* line 29 of \auth\oidc\index.php: call to auth_plugin_oidc->handleredirect()
[03-Dec-2021 12:27:52 Europe/London] Default exception handler: Error in OpenID Connect. Please check logs for more information. Debug: 
Error code: erroroidccall
* line 47 of \auth\oidc\classes\utils.php: moodle_exception thrown
* line 282 of \auth\oidc\classes\oidcclient.php: call to auth_oidc\utils::process_json_response()
* line 213 of \auth\oidc\classes\loginflow\authcode.php: call to auth_oidc\oidcclient->tokenrequest()
* line 114 of \auth\oidc\classes\loginflow\authcode.php: call to auth_oidc\loginflow\authcode->handleauthresponse()
* line 165 of \auth\oidc\auth.php: call to auth_oidc\loginflow\authcode->handleredirect()
* line 29 of \auth\oidc\index.php: call to auth_plugin_oidc->handleredirect()

We're not sure how to proceed from this step as we're totally dependant on the instructions. Thanks, Chris

[weilai-irl]

Hi @BloodBaz,

First of all, please clarify your Moodle version and the Microsoft plugins version (auth_oidc and local_o365 at least).

Regarding the particular error you got - could you confirm if the user who tries to provide admin consent can login to the Moodle site using the OpenID Connect authentication type please. Basic authentication integration should work as long as the Azure application ID and secret are set (assuming auth_oidc uses default configuration and is enabled, of course).

Normally the request to https://login.microsoftonline.com/common/Consent/Set should take less than 1 second and will have a response status 200. You can turn on developer console in your browser and verify it in the networks tab, ensure you have "Preserve log" or equivalent option checked so that it doesn't get removed by subsequent requests. After the request to https://login.microsoftonline.com/common/Consent/Set ends, the user will be redirected to https://url.to.moodle/auth/oidc. At this time, if the user is already logged in, she will simply be redirected back to the local_o365 configuration page; in the unlikely event where the user isn't logged in (which I can't think of how this could happen), the user will be authenticated using the ID token, and then redirected. Your error seems to suggest that it's trying to authenticate user, but the admin block in the screenshot suggests the user is logged in, which is strange.

Please try to provide admin consent again and see if you see the same behaviour.

Regards, Lai

[EiffelD]

Hi @BloodBaz ,

Just checking if you managed to get this to work?