Greetings.
I am writing a plugin to add activities from an external content provider to a Moodle course. There is a need to synchronize the Moodle class to the provider databases. The flow I wish is when the user is connected on Moodle, to be using it's Moodle logged in state to also have him connected on the provider platform (which uses Django framework).
So it is a use case of SSO from Moodle to an external provider (unlike common use cases from external provider/database to Moodle).
What I do is I get the class information from the Moodle user (json sample attached) that I post to the provider platform after the user has given his consent.
In particular, in the json file that I post to the external platform, I have the logged in user dictionary as below:
"id": "10003",
"username": "corbin",
"firstname": "Eric",
"lastname": "Corbin",
"email": "***********@***********.com",
"isConnected": true,
"sesskey": "g9UjzwQGF9",
"MoodleSession": "o8vvtg3id57qm24r2e3g0eqj5c",
"token": "FoPx1LT8ObF9m4dkL4esCvd4jKD7e52M",
"connected": 1647799643
},
The thing is, it is easily vulnerable to a man in the middle attack. I would like to discuss other options if available, the aim is to have a more secured workflow without necessarily using a web api token, as I want everything to happen on the Moodle side.
Thanking you in advance.