I have a scenario where the user is logging on and purchasing access to courses on another site (fortunately on the same host). So I'm fairly confident that the /auth/db plugin will allow me to synch the users.
I'm a little unsure of whether it's going to logon propely. The ecommerce db stores the userid, email, username as normal text, but only stores a hash of the password. Can auth be configured to handle that?
However, they would like to be automatically logged in to moodle once they click whatever link it is they click on the ecommerce portal that gets them in - so they never see a logon screen or an edit screen for their profiles, or anything - it's all external data. I presume this is all ok?
/login/token.php doesn't quite meet my needs. I was hoping that there would be a simple token logon system that:
- accepted two parameters via GET - the username (or other unique id like email), and a timestamp
- encrypted the data using a pre-shared key so that it looks like /login/token.php?token=[encrypted string]
- If the username exists, and the timestamp is with tolerance (e.g. 5 minutes) then assume that the link is safe, extract the username and /auth/db/ plugin should handle the auth.
- The user is automatically enrolled in every course. In the future we might break this up so they get enrolled into all courses in a category depending on some ecommerce db flag, but not right now.
Just to make things a little trickier, the client also mentioned (in passing) that they might like to offer a couple of public courses that you don't have to log on to use. So can the auth plugin mix and match with anonymous access?
The token system is something I've done before for other LMS's and it's generally easy on both ends. You hard code in a key, decide on some relatively safe encryption scheme like blowfish, and time-stamp the data. I haven't seen enough of the code of moodle yet to know if there's something like that in here already. Otherwise I'll have to add it - this sort of thing would be a "local" plugin, right?