OAuth2 but filter via e-mail address

OAuth2 but filter via e-mail address

by James Webber -
Number of replies: 3

Hi all,


We've got the OAuth2 plugin working for Moodle, so now have the Google login button on the course. The Moodle is staff-only though, so I need a way of restricting it from authentication students. A RegEx would do this, we have our teacher e-mail addresses as fsurname@ (f being the first letter of their first name) whereas students are f.surname@.  

Is there any way of getting the OAuth2 plugin to check for a period before the @ sign, and if so - deny login?



Alternatively, is there any way of the OAuth2 plugin bringing across a role from Google that could be used to decide between Staff and Student (like the Google OU).  I'd then be on to the problem of allowing enrollment to a course from only a certain role, but a bit further than now.


Thanks so much!

Average of ratings: -
In reply to James Webber

Re: OAuth2 but filter via e-mail address

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

How about:

  1. Upload the teachers' accounts to Moodle. Presumably only their email, usernames (same as email?) and auth ('oauth2') need to be set. firstname and lastname need to be present if using a CSV but they could be set to a common value and get overwritten by the OAuth 2 mapped field on login.
  2. Enable Prevent account creation when authenticating under Site administrationPluginsAuthenticationManage authentication.

That way teacher accounts should be successfully authenticated by the OAuth 2 plugin because the accounts exist in Moodle, but the students won't be allowed access because Moodle won't create the corresponding account for them.

Beyond that I think you'd be looking at a custom plugin or core code changes as the current OAuth 2 functionality allows any authenticated user who grants Moodle access to their info.

Average of ratings: Useful (1)
In reply to Leon Stringer

Re: OAuth2 but filter via e-mail address

by James Webber -

Thanks for the reply. I looked at the spreadsheet route, but then the display pic doesn't carry across on account creation. A small one I can make do with if we have to, as it does solve the problem. 


I've looked this evening on whether I can filter the OAuth2 on the Google platform side, but no luck, it's all or nothing on authenticating across the entire domain.


Also looked at doing it through LDAP instead which has finer OU controls, but prefer the oAuth2 route if possible. 

Also a shame that the manual upload route means I have to create accounts for all new starters too, was looking for an automated route to cut on workload. 


Much appreciated though, will continue to have a crack at this!

Average of ratings: -
In reply to James Webber

Re: OAuth2 but filter via e-mail address

by Ken Task -
Picture of Particularly helpful Moodlers

Not done or tested myself, but ...

On the Google end, couldn't you add an addon google domain for teachers (since you want only teachers to be able to login to moodle - that right?) that uses convention for teachers addresses and extends that to something like convention@teachers.tld

In moodle then, one would restrict to @teachers.tld

Maybe:

https://support.google.com/a/answer/7502379

Like I said ... not done nor tested ... just thinking out-loud! smile

'SoS', Ken

Average of ratings: -