Get user token

Get user token

by Nico L. -
Number of replies: 10

Hi, I have done a web service to create users using the standard web service 'moodle_user_create_users', now I want to identify users who can access this web service requiring user name and password, if  I get a token then the user can create users using this web service.

I am using Moodle 2.2 and I have seen this help,

How to get a user token

Moodle 2.2

Your client can call the script located in /login/token.php with a simple HTTP request. We highly recommend to do it securely with HTTPS. The required parameters are:

  • username
  • password
  • service shortname - The service shortname is usually hardcoded in the pre-build service (db/service.php files). Moodle administrator will be able to edit shortnames for service created on the fly: MDL-29807. If you want to use the Mobile service, its shortname is moodle_mobile_app. Also useful to know, the database shortname field can be found in the table named external_services.

Call: https://www.yourmoodle.com/login/token.php?username=USERNAME&password=PASSWORD&service=SERVICESHORTNAME //Moodle mobile service shortname => moodle_mobile_app

Get in return: {token:4ed876sd87g6d8f7g89fsg6987dfh78d}

Difference between Moodle versions

  • Moodle 2.2 and later: the script can generate user tokens for any service shortname (of course users must be allowed on the service, see How to create and enable a web service).
  • Moodle 2.1: the script can only generate tokens for the official built-in mobile service. However the script can returns tokens for other services, they just need to have been previously generated.

About service shortname

At the moment a service can have a shortname if you:

  • create the service as a built-in service (in db/services.php files)
  • add the shortname manually in the DB. Note: we'll add the admin UI for shortname later (MDL-30229)


Then I have added the below code in the field  'db/services.php files',

'moodle_webservice_get_token' => array(
'classname' => 'core_webservice_external',
'methodname' => 'get_user_token',
'classpath' => '/login/token.php',
'description' => 'Return token',
'type' => 'read',
),

but I can't see in Moodle the new funtction, I think I have to do the last step, 'add the shortname manually in the DB', but I don't know how to do this.

Any help would be appreciated.

Best Regards.

 

Average of ratings: -
In reply to Nico L.

Re: Get user token

by Jocelyn Ireson-Paine -

Hi Nico. I don't know about shortnames, but I may know why you can't see your new function in Moodle. If you change db/services.php , or any other part of your plugin, then I think Moodle only notices the change if you also increment  $plugin->version  in version.php . I recently posted the details of how I implemented a simple Web-service function that doubles its argument, in http://moodle.org/mod/forum/discuss.php?d=193789#p844079 . In that posting, I explained how I needed to update version.php before Moodle would notice my changes to the plugin.

I don't know what Moodle does if you don't have a version.php . In my Web services, I copy the one from the example "Hello World" Web service (which I posted detailed instructions for at http://moodle.org/mod/forum/discuss.php?d=193772#p844036 ). And I increment each time I edit the plugin. I then go to  Site administration > Notifications, and Moodle always shows the new plugin and asks me to press the Upgrade button to reinstall it.

Jocelyn


Average of ratings: Useful (1)
In reply to Jocelyn Ireson-Paine

Re: Get user token

by Nico L. -

Thanks Jocelyn, now I know how to add a new function updating the file 'version.php', but I have seen is obligatory to fill a classname before update the DB. 

Moodle documentation says I must use script '/login/token.php', but this script does not include a class, perhaps I have to implement a new class an include code from script 'token.php'. I want to be sure before do it.

Can anyone help me?

Thanks in advance.

Best regards.

 


Average of ratings: -
In reply to Nico L.

Re: Get user token

by Jérôme Mouneyrac -

Hi Nico,

/login/token.php should be called by your client with a simple https request (or http if not secured, but really not recommended when username/password are in transit). 

The script has been designed for workflow like this:

1- an user uses your mobile/web app
2- the user enters his username/password into the app
3- the app calls the Moodle script sending the username/password (simple HTTP/HTTPS request - GET/POST/AJAX/curl/...)
4- Moodle sends back the token (JSON format)
5- the app stores the token
6- the app can now call Moodle web service as a user 

Average of ratings: Useful (1)
In reply to Jérôme Mouneyrac

Re: Get user token

by Trushal Shah -

Nice one, 

I have one question 


https://www.yourmoodle.com/login/token.php?username=USERNAME&password=PASSWORD&service=SERVICESHORTNAME //Moodle mobile service shortname => moodle_mobile_app

Get in return: {token:4ed876sd87g6d8f7g89fsg6987dfh78d}

here we can create external service from moodle , then how we can identify that this user have assign this service , because in above URL we need to fill parameter of service moodel_mobile_app


for example i create service for student with name Moodle_student 

and fort teacher Moodle_teacher , here how to set service name for teacher and student dynamically 


https://www.yourmoodle.com/login/token.php?username=USERNAME&password=PASSWORD&service=Moodle_student


https://www.yourmoodle.com/login/token.php?username=USERNAME&password=PASSWORD&service=Moodle_teacher


how to check run time ?


Thanks



Average of ratings: -
In reply to Jocelyn Ireson-Paine

Re: Get user token

by Jérôme Mouneyrac -

Ahah I love it smile I updated the doc metionning it: http://docs.moodle.org/dev/Web_services_API#services.php smile

Average of ratings: -
In reply to Jérôme Mouneyrac

Re: Get user token

by Nico L. -

Thanks Jerome, I got it, but one last question, now I am using a token to call my service to read the user token, but, I think is not a good idea to harcode the admin user and this token in the side cliente webservice. 

Is it possible to call a webservice without use a token?

Now I have done this,

var token = "fddca90ce29536c3e7359d5c065bcf90";

var domainName = "http://localhost";

var urlParameters = "username=" + usuario.value +"&password=" + password.value + "&serviceshortname=CreateUsers";

var functionName = "moodle_webservice_get_token";

var serverurl = domainName + "/webservice/rest/server.php" + "?wstoken=" + token + "&wsfunction=" + functionName;

 

Thanks in advance.

Average of ratings: -
In reply to Nico L.

Re: Get user token

by Jérôme Mouneyrac -

Hi Nico,

in most use cases, you should not have to hardcode a token, neither username/password. However you most likely want to store the token.

You can have a look to Juan's HTML5 app. The app retrieves a token from the username/password and then store it. Then the app calls all web service functions with this token. The javascript code to retrieve a token and make a first web service call is around there.

Cheers,
Jerome 

Average of ratings: -
In reply to Jérôme Mouneyrac

Re: Get user token

by Javeria Qamar -

Hello Jerome,
I'm trying to retrieve a token using my android app but unable to do it as it gives the following respose:
error: unsupported redirect detected, script execution terminated.
Please help..

Average of ratings: -
In reply to Nico L.

Re: Get user token

by Joseph Pham -

Hi Nico

Thanks for this clear instruction. My team got a weird problem when applying this.

We use this API to get user token, we pass in username and password. But regardless of what password we use (even the wrong ones), correct token for this user is still returned! Only when we don't pass in password then return message will say we have no permission to perform this action. That's definitely not right. Could there be some settings somewhere that we misconfigured? Otherwise our system is open for intruders who only need to know some usernames.

The Tool we use to test this is POSTER plugin for Firefox. Our test system runs on localhost.

Thanks for your help.

Joseph

Average of ratings: -
In reply to Joseph Pham

Re: Get user token

by Bart Van Leeuwen -

I also had the problem that I could not use token.php to get a user token.. It appeared to be that I had a password for the user containing non-alphanumerical characters. This caused a UTF-8 problem.

In the settings I changed the requirement that a password must contain 1 non-alphanumeric character, so I could give the webservice user a alphabetic password. token.php worked OKE after that.

Average of ratings: -