How does OAuth2 work in Moodle?

How does OAuth2 work in Moodle?

by Nikki Locke -
Number of replies: 7

I am sysadmin for a service which also acts as an OAuth2 server.

A friend wants to use my OAuth2 service to create or authenticate logins on his Moodle server, but he is really struggling.

I have given him a client id and secret, which he has put in to Moodle. I have given him 3 uri's - to authorise, get a tokn, and get login data.

The login data uri returns a json object with 3 fields - username (the login the user uses on my system), firstname (the user's full name) and email (the user's email address).

He put those in too. On testing, everything seemed to go well - it redirected to my site, and redirected back again. But nothing else happened - Moodle did not call the token uri.

Any suggestions what may be wrong?

I have read the documentation, but it does not say what happens when the handshake is complete. There are 2 possible situations:

1) The email address belongs to someone already on Moodle. I would hope that this would log them in as this person - is that correct?

2) The email address doesn;t belong to an existing user. I would hope that this would create them a new account - is that correct?


Average of ratings: -
In reply to Nikki Locke

Re: How does OAuth2 work in Moodle?

by Nikki Locke -
Further to this, I set up my own Moodle to try it out. Whatever it was, I am doing it wrong too.

I installed the Moodle docker image bitnami/moodle

I set up OAuth2.

I opened an incognito tab to Moodle, and clicked the login button for my oauth2 service.
It redirected OK to my server, the server validated, and redirected back to http://moodle.local/admin/oauth2callback.php?code=63f9e5odmnwrpyxwanef688nma&state=/auth/oauth2/login.php?wantsurl=http%3A%2F%2Fmoodle.local%3A9000%2F&sesskey=ivgcCOD9EW&id=1

(I am assuming that's right, although it doesn't seem to appear anywhere in the documentation).

That URI returned a 404, claiming the session had timed out.
Average of ratings: -
In reply to Nikki Locke

Re: How does OAuth2 work in Moodle?

by Nikki Locke -
Sorry, please ignore the %3A9000 in the url above - I editied the original to take out extraneous information like the port I was running on, but missed that.

Note that Moodle makes no attempt to call any of the other endpoints I set up.

These are authorization_endpoint, token_endpoint and userinfo_endpoint.
Average of ratings: -
In reply to Nikki Locke

Re: How does OAuth2 work in Moodle?

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers
What I think is happening is that the state parameter is getting mangled, possibly because it's not being URL encoded between redirects. The wantsurl should include sesskey and id as query string parameters within its URL, whereas in the above redirect there's an invalid second question mark followed by wantsurl, sesskey and id. These should be URL encoded as part of state.

admin/oauth2callback.php?code=63f9…&state=/auth/oauth2/login.php?wantsurl=http%3A%2F%2Fmoodle.local%3A9000%2F&sesskey=ivgcCOD9EW&id=1

For example on my test site the redirect back to admin/oauth2callback.php is:

/admin/oauth2callback.php?code=f132…&state=%2Fauth%2Foauth2%2Flogin.php%3Fwantsurl%3Dhttps%253A%252F%252Fmoodle.example.com%252F%26sesskey%3DGZlz8cFzkd%26id%3D1

I.e. there are just two query string params to oauth2callback.php: code and state.
Average of ratings: Useful (2)
In reply to Leon Stringer

Re: How does OAuth2 work in Moodle?

by Nikki Locke -

Well, you absolute star ⭐⭐⭐ - you put your finger right on it. 

A quick EscapeDataString at my end, and it has all sprung into life!

Can I suggest to the Moodle documenters that they add some more information to their OAuth2 document, specifically:

  • The callback url - many oauth2 servers validate this, which is difficult if you don't know what it is.
  • The exact names of the endpoints you have to define (including the underlines!). Plus any optional ones, if there are some.
  • The list of user fields that are necessary to create an account (firstname, lastname, email) - some OAuth2 services do not provide firstname and lastname as separate fields.
Average of ratings: -
In reply to Nikki Locke

Re: How does OAuth2 work in Moodle?

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

I've updated the OAuth 2 services page as suggested (revisions). Let me know if there's any further feedback regarding these changes. The Moodle Docs are a wiki so feel free to edit these if needed.

Average of ratings: Useful (1)
In reply to Leon Stringer

Re: How does OAuth2 work in Moodle?

by Nikki Locke -
The new documentation is a model of clarity, and now contains everything you need.

Thank you very much, you are brilliant!
Average of ratings: -
In reply to Nikki Locke

Re: How does OAuth2 work in Moodle?

by Nicolas Schmit -

Hello Nikki,

I have the same issue and I understand that problem was not on Moodle side? Am I right?

When you say "A quick EscapeDataString at my end, and it has all sprung into life!", do you think you can explain what you did?

Thank's a lot.

Nicolas

Average of ratings: -