Auth OIDC throws id_token in first login

microsoft / o365-moodle

Office 365 and Azure Active Directory plugins for Moodle

GNU General Public License v3.0

184 stars 137 forks source link

Auth OIDC throws id_token in first login #2685

Open Doc94 opened 1 month ago

Doc94 commented 1 month ago

I just update the OIDC Plugin and install O365 Plugin but when try to join using SSO with a new account i get this error. Based in the code the first time that line check two vars to be non-empty but in all case the second can be empty if for any chance i change that line for make just if first and second var are empty for bypass this error then the error not happen again. ref: https://github.com/microsoft/o365-moodle/blob/master/auth/oidc/classes/loginflow/base.php#L657

weilai-irl commented 1 month ago

Hi @Doc94

This is most likely caused by you don't set a binding username token claim in auth_oidc plugin. Please do so at https://url.to.moodle/auth/oidc/binding_username_claim.php, and make sure you save changes on that page, even if you select the default "Choose automatically" option.

I'll make a change for the next release to set it to this value if nothing is configured.

FYI, it's unsafe to comment out that line. The token record stored would be incomplete.

Regards, Lai

Doc94 commented 1 month ago

Hi i set that like this.

but still has the error, but notice about the thing for what version of microsoft is using and email is for v2 and in the update i still has v1.. i change to upn for use email and works again then later can migrate to v2 for use email... Maybe the error can be more detailed for notice this things?

Many thanks.

weilai-irl commented 1 month ago

Hi @Doc94

Please read the instructions on the configuration page carefully and follow all the steps. This is an advanced feature and requires site admin to fully understand what needs to be changed in Moodle, and what claims are available in your tokens. In most cases, this should be set to be the default settings.

To be specific to the issue in your case, email is not a default claim in either ID or access token in OAuth2 2.0 implementation on Entra ID. You'll need to add it as an optional claim for your configuration to work.

Regards, Lai

Doc94 commented 1 month ago

Hi @Doc94

Please read the instructions on the configuration page carefully and follow all the steps. This is an advanced feature and requires site admin to fully understand what needs to be changed in Moodle, and what claims are available in your tokens. In most cases, this should be set to be the default settings.

To be specific to the issue in your case, email is not a default claim in either ID or access token in OAuth2 2.0 implementation on Entra ID. You'll need to add it as an optional claim for your configuration to work.

Regards, Lai

Oh... Okay. Many thanks for the information.

magdesm commented 1 week ago

Hello @Doc94 ,

We encountered the same problem with one of our Moodle (version 4.3.8). Everything worked perfectly until we updated the plugin auth_oidc to version 4.3.6. The new features with the binding claim were set to automatic. We also did some tests by choosing "UPN" and "samaccountname", but it did not work. We had the same error from your capture.

A rollback to plugin version 4.3.4 did the trick. We uninstalled local_o365 and updated auth_oidc to the last version. The problem is resolved. Users are now able to log in. We manage a couple of Moodle with OIDC authentification. We encountered this issue exclusively on this Moodle.

I hope this can help!