I'm currently developing a web application which I need to integrate as closely as possible with moodle. Essentially, I need to be able to 'share' authentication between the two sites. I'm building a couple of plugins to this end, and I'm hoping that the whole package could be incorporated as official at some stage. I was hoping someone could advise me if the approach I'm taking is acceptable from a security point of view, or, if not, what could be done to meet security requirements.
These are the application requirements
- Users' login credentials are stored only in the Moodle database (only Moodle users can access the application)
- Users can login to the application via a link from Moodle (plugin) or using the application login page (which uses a Moodle Webservice to authenticate login details)
- If users log in to the application, they can use a link to go to Moodle without having to re-authenticate.
The final requirement looks like the trickiest from a security point of view.
To achieve this I'm building a custom plugin. The application generates a temporary token for the user and hashes the username, expiry date and a secret key for verification. When the user is redirected to the plugin index page, it verifies the request token, and if successful logs the user in to Moodle and redirects them to the home page.
The following precautions are being taken
- The secret key must be least 20 characters and is hashed using SHA256
- Each installation will have its own auto generated (but editable) secret key
- The temporary token has an expiry time of 5 minutes and is regenerated on each page load
Is this type of authentication viable for an official plugin? As far as I can tell it doesn't create any real vulnerabilities; but am I missing anything important?
Any feedback would be hugely appreciated!