I assume it is, but cannot test this
We use OpenID Connect as an auth method, so when we open the app and enter the site URL, it connects and then forwards to
https://login.microsoftonline.com/common/oauth2/authorize
We can then login using our office 365 credentials, but after it then forwards us to our redirect URI: https://ourmoodle.ac.uk/auth/oidc/ which logs us in to our moodle website, and in effect misses the app all together.
Anyone know, what we can do so the app will work?
Cheers
Another thing is we have
"It seems that the HTTPS certificate is self-signed or not trusted. The mobile app will only work with trusted sites."
on the mobile settings page, when we know this is not true and our cert passes all checks
Cheers
https://docs.moodle.org/35/en/Moodle_app_FAQ#I_can.27t_get_the_app_to_work._What_can_I_do.3F
SSL Checkers ... look for protocols.
Sites should not allow nor use SSL vr1 nor vr2, or vr3 now ... but TLS 1.2 ... not 1.0. TLS 1.3 is soon to be 'blessed'.
There is also the issue of ciphers.
'spirit of sharing', Ken
Thanks Ken
I have had a look at this and is related to the SSL message but I am not sure that it is related to the app forwarding to office 365 SSO and then not forwarding back using OpenID Connect?
Should we be using OpenID Connect? or should it be OAuth 2?
And in the docs
"Custom auth plugins may be failing in the last step,not redirecting back to local/mobile, this will happen only if the plugin does not support correctly the $SESSION->wantsurl."
Cheers
| TLS 1.3 | No |
| TLS 1.2 | Yes |
| TLS 1.1 | Yes |
| TLS 1.0 | Yes |
| SSL 3 | No |
| SSL 2 |
There should be an ssl.conf somewhere ... it's commented ... might want to read study. Had similar issue when hosting on a server using a global certificate as opposed to a certificate gnerated for the specific host.
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# Disabled weak RSA ciphers
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!RSA:!aNULL:!MD5:!DSS
SSLHonorCipherOrder On
sslabs now does check of both IPv6 and IPv4 - on a server that gets an A+
and configured by someone who works at a cyber defense company.
First section has, at the bottom, 'Trusted' status and then list
Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No
For TLS 1.3 tests, we only support RFC 8446.
There is also a section on simulated handshakes ... Android is included.
'spirit of sharing', Ken
Hi Albert,
it seems that, what is happening, is indeed this:
"Custom auth plugins may be failing in the last step,not redirecting back to local/mobile, this will happen only if the plugin does not support correctly the $SESSION->wantsurl."
You should check the app code to see if after doing the final redirection back to Moodle it checks the $SESSION->wantsurl variable. This variable indicated the plugin that it should redirect to an enpoint in local/mobile (or admin/tool/mobile in latest Moodle versions) to correctly perform the SSO
Maybe you could reach the original plugin developers
Cheers, Juan
