Security question about user created via API

Security question about user created via API

by S. De Luca -
Number of replies: 4

I'm currently developing an integration between Moodle's API and our internal software.

In particular we are building a feature that could let the user associate his account (user, passw) on our software with one inside our Moodle which has some courses to see. We want to have the same password ad username for that user as his account on our software. I've currently tested the method that creates a user but the password is passed in clear and it's not the best… Is there any solution from a security prospective?

Thank you.

Average of ratings: -
In reply to S. De Luca

Re: Security question about user created via API

by Dave Perry -
Picture of Testers
I'm with Tim - move your application to use central authentication (LDAP, AD, Oauth, SAML, whatever) and make moodle use that!
Average of ratings: Useful (1)
In reply to Dave Perry

Ri: Re: Security question about user created via API

by Sergio Rabellino -
Picture of Particularly helpful Moodlers Picture of Plugin developers
Apart from the correct responses you got here by Tim and Dave, if you contact your moodle's API through an HTTPS channel, there's no cleartext password on the network...
And you should have https enabled on your site if you admit login by classic credentials (e.g. login/password) or the API problem will be minimal if compared to logon vulnerability.
Average of ratings: Useful (1)
In reply to Sergio Rabellino

Re: Ri: Re: Security question about user created via API

by S. De Luca -
Okay thank you. My goal is to create moodle accounts using moodle's API from an external website.
You suggest to use LDAP or SAML etc. to overcome this problem right?
Thank you very much for the immediate support!
Average of ratings: -