Authenticating user on third party website using Moodle

Authenticating user on third party website using Moodle

by Dragos Popa -
Number of replies: 8
Hello all, I have a use case where a student uses a third-party website which requires the student to be authenticated with Moodle. Furthermore, once authenticated on the third-party website said website should be able to fetch the students' courses and some other basic information about the student. I am new to Moodle and I am getting quite confused with all the available APIs.

What would be the best way to achieve a system similar to this Blackboard 3LO workflow;
"

Expected 3-legged authentication workflow:

  1. Access a 3rd-party application that has a REST integration with a Learn system (App).
  2. Use functionality on the App that requires a login to Learn. (Performs an /authorizationcode REST Request)
  3. Login to Learn via a custom login .jsp page.
  4. Get redirected to back the App. The App can now make REST requests to the Learn system.
"

Would the Web Service API be the one to use or would there be some other way?

Thank you!
Average of ratings: -
In reply to Dragos Popa

Re: Authenticating user on third party website using Moodle

by Brett Dalton -
Picture of Moodle HQ Picture of Particularly helpful Moodlers
just a couple of questions.

1) are the students authenticating into Moodle first or the Website First?

2) Do you have an SSO in the mix at all?

3) how are you managing identity between Moodle and the website? i.e. do you have a common identifier in both

I would suggest that retrieving the data you need from Moodle should be done with the Web Services API and SSO for authentication if thats possible (on both Moodle and the website) but it will depend on a lot of specifics.
Average of ratings: -
In reply to Brett Dalton

Re: Authenticating user on third party website using Moodle

by Dragos Popa -
1) With my current Blackboard implementation, students authenticate into Blackboard first then my website. This is not set in stone.
2) Yes and no. My website is designed to be integrated with many institutions, some may use SSO some may not.
3) Upon first sign in the student's Blackboard userId is assigned to the account they use to sign in to my website. That is used as an identifier from there on.

Essentially trying to achieve this - https://docs.anthology.com/docs/rest-apis/learn/getting-started/rest_apis-learn-getting-started-3lo
Average of ratings: -
In reply to Dragos Popa

Re: Authenticating user on third party website using Moodle

by Ron Meske -
I think what you are wanting to do is to use Moodle as the oAuth provider.

I recently had a need to setup a web site to use Moodle as a backend only, and did not find a way to have Moodle act as an oAuth provider so ended up creating my own authentication service.

So to the best of my knowledge you will need to write your own service that replicates the 3LO flow that Blackboard uses. It sounds like something I should have done at the time, but just didn't see a broader use at the time.

This plugin may be of use for you: 
https://moodle.org/plugins/auth_userkey
Average of ratings:Useful (1)
In reply to Ron Meske

Re: Authenticating user on third party website using Moodle

by Dragos Popa -
Yes, you're right. Using Moodle as the oAuth provider is essentially what I want to do. I've just come across this which seems to implement a very similar system to the Blackboard one - https://github.com/projectestac/moodle-local_oauth

For a more simple implementation, could I just use the 'moodle_mobile_app' web service on the /login/token.php endpoint to verify user credentials like so;

curl -X POST \
'https://my.moodleapp.tld/login/token.php?service=moodle_mobile_app' \
-d 'username=mymoodleuser&password=MySecretPassword'

.. and then store their token in a cookie to be used when calling the Web Services API? I can see this working on a simple use case but how does SSO influence this? I suppose this is a broad question but, if the institution uses an SSO provider such as Azure Active Directory does this endpoint still work?
Average of ratings: -
In reply to Dragos Popa

Re: Authenticating user on third party website using Moodle

by Ron Meske -
I originally started with the mobile service, but ran into some issues at the time and cannot recall exactly what they were. I believe the mobile login would only work with the Moodle Mobile App.

What I do remember about is that it would use the Auth Plugins that were configured in Moodle. So I believe it is safe to assume, but verify, that if an SSO provider is installed it will use it.

This service may also be useful: core_auth_confirm_user.  

When you go through the API documentation, check the limitations. Some cannot be called from AJAX, which may not be an issue for you.
Average of ratings: -
In reply to Dragos Popa

Re: Authenticating user on third party website using Moodle

by Brett Dalton -
Picture of Moodle HQ Picture of Particularly helpful Moodlers
Ron is right, OAuth may suit your needs here, however I would strongly recommend looking at the LTI standard as it is supported by the vast majority of LMS and if you implement it once it will work for most LMS out of the box. It can handle auth, account provisioning, roles, etc.
Average of ratings: -
In reply to Brett Dalton

Re: Authenticating user on third party website using Moodle

by Francis Devine -
Picture of Core developers
I suspect the same issue will occur there as with oauth

Moodle is setup as a consumer of LTI and Oauth2, not a provider, so it has to be the initiating party for these the signin/connect workflows.

It's come up a few times and although core is open to making moodle an oauth2 provider for things like OIDC, it's not a priority for them.
Average of ratings: -
In reply to Francis Devine

Re: Authenticating user on third party website using Moodle

by Brett Dalton -
Picture of Moodle HQ Picture of Particularly helpful Moodlers
Just spoke to Matt Porritt who is the other Head of Product at HQ. The Platform team is doing some work on OIDC at the moment but acting as a provider is out of scope. Acting as a provider is complex and as there are a lot of dedicated opensource options for this (and other Auth sources) that would do it far more reliably, it really doesn't make a lot of sense to add it to the Moodle codebase and all the maintance it would require.
Average of ratings: -