I have an external site that wants to consume information (read) for use on that students portal page in the external app. the webservice uses a token/instance of a user to provide context to the service page as usual. the app will be on demand for the individual learner.
how can I inform the external service caller of the token for a given user? Neither the Moodle site nor the external portal have SSL at this time (and won't) so the /login/token.php method of just sending across the username and password in plain text is highly undesirable. I want a non ssl secure way of generating then getting that token.
also, I have a custom auth plugin which logs people in from the external site as a single sign on. how can I make it so that process generates a new student token for each user that is created as they sign on?
My current thinking is:
- i could set up a cron job that generated tokens for users that don't yet have one
- i *might* be able to recode my auth plugin so that if a user is created an event is raised, then in my local plugin where my webserivce resides, consume the event and trigger the creation of the token for that user / webservice method.
- I still have no way of communicating the tokenid of the user back to the external portal site securely.
If all else fails, I'm probably going to have to get the external site to call a page that generates / returns the token id (encrypted, of course) directly which can then be used in the webservice call. This seems like a horrible hack to me.