Oauth2 and Google account integration

Oauth2 and Google account integration

by Nicholas Roberts -
Number of replies: 14
I would appreciate any help with setting up Google authentication for my moodle installation.

Background:
* I have a school email (google account) domain hosted at Google (it's an account domain), i.e. all users are xxxx@cpem17.com.ar.
* I'm setting up moodle to work with students from this school (cpem17) and I would like for students to be able to login to my moodle using their current google (cpem17) account and password (and therefore avoid multiple users/passwords, etc which tend to confuse unnecessarily).
* I have moodle (3.3.4) set up in my domain:   roberts.com.ar/moodle  (installed in subfolder moodle, NOT the site root)
* I have an SSL certificate installed on: roberts.com.ar and www.roberts.com.ar

What I've done
* I set up the api on console.developers.google.com (I am also an admin for the cpem17 domain at google) and have my Client ID and Client Secret. Set up the credentials and added the API's for Mail, Drive and Calendar (I only actually care about login as a minimum).
* I use the Moodle console (Site administration, Server, Oauth2 Services) and set up the Google service (Create Google Service). I've accepted all defaults (but put in the Client ID and Client Secret sans extra spaces at beggining or end). Haven't checked use HTTP. Ensured "Show Login on page" is checked. When saving I get: "error/Could not discover service endpoints: Failed to connect to accounts.google.com port 443: Connection refused". The first two ticks ("Configured" and "Allow Login" in green - the remaining two in red).
* I tried changing the "Service Base URL" to "https" as per other posts.
* I tried setting Moodle to HTTPS.

I CAN access the .well-known/openid-configuration at accounts.google.com from my computer (haven't tried from the server since I haven't set up SSL on it.

Can anyone enlighten me as to what I've done wrong or missed?

The objective is to have students signin/signup to the courses via their existing google(cpem17.com.ar) accounts and passwords. I don't really care if data is stored in Drive or not (though I'd like to have student being able to submit files from Drive).

EDIT:
**ADITIONAL INFORMATION**
I've got google to verify the site (via TXT record AND the http file).


Average of ratings: -
In reply to Nicholas Roberts

Re: Oauth2 and Google account integration

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

Do you have the system account connected?

Can you show a screenshot of your oauth page with sensitive info blacked out?

Average of ratings: -
In reply to Emma Richardson

Re: Oauth2 and Google account integration

by Nicholas Roberts -

Detail of Google Setup

And:

Summary (and error)


Average of ratings: -
In reply to Nicholas Roberts

Re: Oauth2 and Google account integration

by Ken Task -
Picture of Particularly helpful Moodlers

In the client ID *and* secrets boxes where you paste those from Google, make sure there is NO blank space in front of the client ID / secret and NO space at the end.

The spaces will not display in the box ... the only way one could tell is to notice a sliver between the left box border an the first displayable character in the box.

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: Oauth2 and Google account integration

by Nicholas Roberts -

Actually I copied both from Google to my Notepad++ and removed the spaces before copying/pasting into Moodle.

Average of ratings: -
In reply to Nicholas Roberts

Re: Oauth2 and Google account integration

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

Pretty sure you need to connect a system account...

Could your firewall be blocking this?

Average of ratings: -
In reply to Emma Richardson

Re: Oauth2 and Google account integration

by Nicholas Roberts -

I cannot connect a system account.

I tried though... After the confirmation popup I get a directory listing for


/moodle/admin/tool/oauth2


I didn't pursue this yet since I assumed (hopefully correctly) that I had to solve the Discovery error first. Also the tooltip says "They are not required for login functionality only" which is what I am trying to solve first. I guess I'll cross that bridge further on smile


Average of ratings: -
In reply to Nicholas Roberts

Re: Oauth2 and Google account integration

by Nicholas Roberts -

Anyone have an idiot proof step-by-step for this? (the idiot being me smile )

Average of ratings: -
In reply to Nicholas Roberts

Re: Oauth2 and Google account integration

by Ken Task -
Picture of Particularly helpful Moodlers

One 'idiot' (me) to another ... Google changes things ... understatement.

Did you ever see a screen that was a permissions kinda thing?

Afraid some tinkering required.   This error kinda strange ...

Failed to connect to accounts.google.com port 443: Connection refused

What do you have in Oauth2 config for Google Service base URL?

In a Moodle 3.4.x using Google (working), that URL is:
http://accounts.google.com/

Yep ... that's http:// NOT https://

from the server, if you have command line, try this:

curl -I http://accounts.google.com/

That will report an error ... kinda ... 302 Moved Temporarily
with https://accounts.google.com/ManageAccount

and then:

curl -I https://accounts.google.com/ManageAccount

In your browser:

https://accounts.google.com/ManageAccount

IF using Firefox, if you are already logged onto Google,
that will go to a control/protect, and secure screen.

Make sure you are NOT logged onto Google and that URL
might send you to:
https://accounts.google.com/ServiceLogin/signinchooser .... blah, blah.

Beat on it ... and it might give in! ;)   That ought to bring someone 'smarter' than us two 'idiots' into the conversation! smile

'spirit of sharing', Ken


Average of ratings: -
In reply to Ken Task

Re: Oauth2 and Google account integration

by Nicholas Roberts -

Ken,

Just set up SSH and tried what you suggested...:
* the first curl goes the 302 way
* The second actually produce more garbage but also produces a 302 response

* The FF (not logged in - made sure beforehand) sends me to the "Choose account" screen.


Not at all surprised Google moves the goalposts sad

Any suggestions to move on from this point?


BTW: Moodle 3.3.4 (at the moment) -> still trying to find a pain-free way to update to 3.4.x....

Average of ratings: -
In reply to Nicholas Roberts

Re: Oauth2 and Google account integration

by Nicholas Roberts -

**BUMP**

Average of ratings: -
In reply to Nicholas Roberts

Re: Oauth2 and Google account integration

by Ken Task -
Picture of Particularly helpful Moodlers

Weekend ... the only excuse I could give those with expert knowledge of oauth2 and Google. :\

So you are kinda stuck with me, I guess.

Reference for your version: https://docs.moodle.org/33/en/OAuth_2_Google_service

I seem to re-call upon initial connection with a service account a permissions screen.

Later, others were saying there needed to be entry in Googles Consent screen for the Moodle server - I can re-call going back to credentials setup and setting up a Oauh Consent screen/info.

In the above link one might need to follow it like they were steps.

No one can really volunteer to look at your stuff cause it would mean you sharing credentials, etc.. :\

Although, if you PM me the URL to your site and set me up as admin .... I can look at Moodle but not link.

As far as the other quickie question ... 'pain free upgrade' ... if Linux, hands down git. hough at first it isn't and from time to time - rarely ... issues with compatible plugins ... which need be checked before pulling the trigger on updating/upgrading core via git.

https://docs.moodle.org/33/en/Git_for_Administrators

In your case, you'd have to 'side load' the git acquired code etc.   Maybe that should be anoher posting so that one can focus on specific issues and not multi-task. ;)

'spirit of sharing', Ken



Average of ratings: -
In reply to Nicholas Roberts

Re: Oauth2 and Google account integration

by Ken Task -
Picture of Particularly helpful Moodlers

Went back and re-read everything ...

Suggest that google wants everyone to use https ... period.

The moodle is running under http:// not https://  initial install I imagine.

www.yourdomain is the same box as the URL you shared for the moodle?

If I go to the URL you've shared for Moodle I get a raw directory listing ... where I see the .html file you used for Google confirmation of domain + a moodle directory.   If I click the moodle folder I get an https:// filp and a notice that the cert isn't valid.  Have to make an exception in FF to see login screen.

Cert info for the Moodle subdir shows Atractsoft for _.com.ar as the verifier.

What if ... you changed the URL to the Moodle as www._yourdomain/moodle/

It flips to roberts.com.ar

https://www.roberts.com.ar/

begets a forbidden error - 404

So it's configuration of Apache ... virtual host?

If you can get Moodle to run under the cert for www. then think your Google issues will be reduced.

'spirit of sharing', Ken (the weekend help)

Average of ratings: -
In reply to Ken Task

Re: Oauth2 and Google account integration

by Ken Task -
Picture of Particularly helpful Moodlers

Since you've already shared urls/hosting urls.

roberts.com.ar.        3600    IN    A    185.176.40.146

www.roberts.com.ar.    3600    IN    A    185.176.40.147

different IP's so can't use the www cert for the server where the moodle resides as www was probably a host cert and not a global domain cert.

However, one could check into using 'letsencript' for the Moodle box.

https://letsencrypt.org/

'spirit of sharing', Ken


Average of ratings: -
In reply to Ken Task

Re: Oauth2 and Google account integration

by Nicholas Roberts -

This throws an interesting spanner in the works. I'll check with my hoster.

Very useful bit of info. Thanks.

Average of ratings: -