Interesting....

I would really like to see something that is as trivial as humanly possible to develop peers for. I've lost count of how many SSO solutions I have coded for Moodle but all were written from scratch because I never managed to get my head around MNet (or needed the levels of security when, inevitably, both systems were on the same subnet behind a Firewall). In reality, that would probably mean a configurable level(s) of security - or plugins even.

It would seem very sensible to use existing technologies (e.g. OAuth as you suggest) rather than reinventing the proverbial wheel if at all possible.

Yes, I think it makes sense to use more standard mechanisms like OAuth and OpenID, now that we have them.  It would make integrating with other web applications easier, and I think that OAuth and OpenID together can (with a little creativity) already do much of what MNet does.

I would think that the integration between 2 applications should be seperate from the authentication scheme they use.

So that the administrator can set up the applications with any SSO Method (Shibboleth/SAML, OAuth2.0, OpenId) and as long as the user is authenticated on both sides with for instance a similiar username(or other configurable attribute), files/ can be transfered for that user.

Not quite got my head round how moodle exports the actual files to mahara yet but would be interested to find out how this currently works(any links or info?) to further brainstorm on any good and standards based solutions.

Have been thinking that it might be a good idea to use Web services e.g. REST or SOAP to replace the networking functionality. This would allow for any developer to easily write 3party software that could take advantage of any functions that mahara uses currently.

I'll do some more digging to see if this can somehow be done by extending the current Web Services/External Services functionality.

I'm reading through the OAuth specs, and I'm wondering what we would gain from OAuth over a plain token-based web service that Moodle already has (i.e. the "One system controlling Moodle with a token" flow in the Web Services overview page), and whether OAuth really is suitable.

• OAuth seems to be designed to allow two systems that are maintained by separate entities to share data, whereas from what I have seen, MNet is mostly used in situations where both ends are administered by the same people, in which case, it's easy to set up a special user, exchange a token, etc.
• OAuth only gives you authenticated web services in one direction, whereas MNet is bidirectional.  I think that it is possible to hack the protocol to get both directions, but that would be non-standard.
• The direction that OAuth gives us is the opposite from what we generally want.  For example, in the Moodle/Mahara case, currently Moodle is the identity provider and Mahara is the service provider.  That would make Moodle the OAuth server, and Mahara the OAuth client, which means that Mahara could make requests from Moodle, but not the other way around (without the above-mentioned protocol hacking).  But the portfolio and repository APIs want to communicate the other way around -- with Moodle making function calls to Mahara.
• OAuth generates a token for each user, which seems a bit wasteful in this situation.  For trusted systems, it's simpler to just use a single token for each networked connection.

From what I can tell, OAuth isn't a good match for an MNet replacement.  Am I wrong in my assessment here?

At the time I wrote the parent post to this, 2.3 seemed a long way off!  Now it's nearly here, but a solution to replace Mnet has not been fully decided, let alone implemented.   As such, nothing will be removed or changed and small bugs will continue being fixed in Mnet support for a while yet.

However, Dan Poltawski, who joined Moodle HQ in Perth today (yay!!) does have this as one of his first tasks.  He'll be coming up with some suggestions for Oauth2 implementations for Moodle and new web services to allow great integrations with Mahara.   Then we'll be putting those to the Mahara community and hopefully working with them to come up with a good joint plan going forward so that Moodle and Mahara can work well together.

While in principle it is great to see Moodle moving forwards, in some areas the changes introduced have a far reaching effect on courses designed and developed with third party plug-ins and partnering software in mind. The removal of MNET support is a backward step when carried out without a replacement system already in place. I have Moodle working together with Mahara, and many assignments and projects in place. In order to keep pace, and maintain security I have to update my Moodle platform regularly, and I now find that with the step to 2.4+ that all my work has effectively gone out the window. I really hope that Moodle/Mahara are going to find a solution to this highly valuable compatability issue since I am sure it affects more people than just me.

Has the planning for this progressed any further since December? 

Thx,

    Nick