weilai-irl
commented
2 years ago Hi @aspark21,
Thank you for reporting this. I'll discuss the feasibility of this work with my team and get back to you soon.
Regards, Lai
Closed aspark21 closed 4 months ago
weilai-irl
commented
2 years ago Hi @aspark21,
Thank you for reporting this. I'll discuss the feasibility of this work with my team and get back to you soon.
Regards, Lai
weilai-irl
commented
2 years ago Hi @aspark21,
I think I may need some clarification on the feature required, and if I understand it correctly, the auth_oidc plugin can already do it.
The main configuration relevant is Force redirect in auth_oidc (auth_oidc | forceredirect). If enabled, users trying to access the login page will skip the login index page and redirect to the OpenID Connect page. So if there is only one active user login in the browser session, the browser will try to login as this user.
There is another remotely relevant setting Force users to log in in Administration => Security => Site security settings (forcelogin). If enabled, users will be required to login to see anything on the site. Effectively this will trigger a redirect to the login page.
So if I understand your requirement correctly, using the combination of the two settings (or even the first one alone) should achieve what you want.
Obviously, if there are multiple active user login in the browser session, or if the login attempt using the active user failed (e.g. because the user is from a different tenant), users will still see the login page. This would be the expected results.
Please review the answer and let us know if this isn't what's required.
Regards, Lai
aspark21
commented
2 years ago Hi Lai,
That's why I mentioned "It importantly does not redirect all users all the time, just the ones that are logged in which could make them be logged in to Moodle completely transparently."
Our site allows Moodle Guest Login and also has manual accounts for testing purposes so redirecting everyone to AAD authentication is not an option and forcing users to login isn't either.
Thanks Alistair
weilai-irl
commented
5 months ago Hi @aspark21
This is indeed related to the latest PR #2562, #2563 and #2564. We eventually found a way to implement this, using prompt=none for the prompt optional parameter in the authorization code request. See https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow.
A new setting is to be added to the auth_oidc plugin configuration. See the provisional description of the setting for details.
Regards, Lai
weilai-irl
commented
4 months ago Hi @aspark21
This feature has been included in release 4.1.7, 4.2.6 and 4.3.4 on 2nd of July 2024. Please check out the latest version of the plugins to test and use this feature.
Regards, Lai
This was one of the really nice features we saw with going down the auth_saml2 route but have now committed to using auth_oidc. It would detect if the user was logged in with the IDP and if so then would redirect them & log them in without any interaction required (https://github.com/catalyst/moodle-auth_saml2/pull/426)
It importantly does not redirect all users all the time, just the ones that are logged in which could make them be logged in to Moodle completely transparently.
We would be willing to support the implementation of this feature in whichever way (our devs, funding, etc).