SSO App - External Password Reset

SSO App - External Password Reset

by Aaron Leggett -
Number of replies: 5

Hey Guys,

We are currently developing a mobile app, that has Single Sign On (SSO) into a Moodle 2.6 instance.
When logging in, we require a 'Forgot your password' button that we had hoped would hook into moodle and send the moodle password reset email to the given email address.

We have hacked together a method of acheiving this by sending a CURL request to the /login/forgot_password.php page and regex'd out the session key. Then with this we create a POST request to the same page with the given email and session key.

Does anyone know a better way of doing this? Is there a moodle function we could tap into. Any input on security issues with doing this would also be greatly appreciated.


Thanks team!


Aaron

Average of ratings: -
In reply to Aaron Leggett

Re: SSO App - External Password Reset

by Darko Miletić -

Your best bet for this would be to write custom web service that enables you to do this. Should be implemented as local plugin since there is no user interface required. For details on how to do that see:

http://docs.moodle.org/dev/Web_services_API

Average of ratings: -
In reply to Darko Miletić

Re: SSO App - External Password Reset

by Aaron Leggett -

Hey Darko,
We have already made a WebServices plugin for some of our other functions, but this requres a user to be logged in with a token using /login/token.php

Do you know of a way to give anyone access to a web service without needing to authenticate through this token.php page? As obviously they will not be authenticated when clicking  the 'Forgot Password' link.

Any help is greatly appreciated.

Aaron

Average of ratings: -
In reply to Aaron Leggett

Re: SSO App - External Password Reset

by Darko Miletić -

Perhaps I misunderstood your request. Are you saying that you activate forgot password functionality every time user tries to login?

Average of ratings: -
In reply to Darko Miletić

Re: SSO App - External Password Reset

by Darko Miletić -

After reading the post few more times let me summarize what I think you ask and you can tell me if I got it right:

  • You have a mobile app that tries to implement SSO with Moodle.
  • You also have "forgot pass" feature in that app that tries to hook into Moodle forgot password feature.

Perhaps web service is not such a great idea after all. You might create a custom page used to receive requests for resetting password. Page should be accessible only through https and all parameters passed as POST request. You would pass username and some specially crafted token that expires after say 60sec and uses some hash/signing method involving timestamp and whatever else data you see fit. For example you can use OAuth approach etc. that can be validated on Moodle side. If token is validated than you reset pwd for that user in code and send the email.


 

Average of ratings: Useful (1)
In reply to Darko Miletić

Re: SSO App - External Password Reset

by Aaron Leggett -

Thanks Darko,
Yes you are correct in your thinking.
We have created the Mobile App which, for all other requirements, contacts a Moodle webservices plugin. I was hoping to add the 'Send password reset' functionality to the app through this webservices plugin as you suggested, but has not worked for me.

I will be developing a separate local plugin as suggested to allow for the resetting of passwords.

Thanks for your input with my issue,

Regards


Average of ratings: -