Cannot login to CERNBox via Moodle

[michzimny]

We cannot login to CERNBOX via Moodle. We receive the message “error/Could not decode JSON token response”.

The problem has been already reported a few weeks ago, this issue is just for the record.

A more detailed description by @athird:

The error appears in Moodle, but it’s because Moodle is receiving an error from the SSO (when CERNbox attempts to redirect back to Moodle during the OAuth process).

To authorise CERNbox and Moodle to talk to each other:

1. Moodle redirects to CERNbox to authenticate.
2. CERNbox detects that the user is already logged in over SSO and prompts for authorisation to allow Moodle to access CERNbox
3. The user agrees, and CERNbox redirects back to Moodle.

What ought to happen:

4. Moodle receives a JSON object from CERNbox containing the relevant tokens.

What actually happens:

4. Moodle receives an HTML string generated by GWDG servers saying that the browser has cookies disabled.

Since the string received can’t be decoded to JSON, Moodle shows the error you see.

[athird]

I sent an email update about this, but just to add it here too. The issue is that between 3 and 4 is another step:

3.5 Moodle makes another call to a CERNbox endpoint (the token endpoint) to upgrade the CERNbox authorisation code to a token.

But the CERNbox token endpoint redirects to SSO (because all of this is happening server-side and there are no cookies for it to read to detect login status). Really, OAuth endpoints shouldn't be behind a sign-on redirection in general, so the correct solution is to disable the redirects for these URLs in particular.

@ebocchi, can you add the CERNBox endpoints URLs as exceptions in the SSO config there, so that there's no redirection?

[ebocchi]

Fixed and answered in the corresponding email thread.