Hi everyone,
We've had an issue that came up since upgrading several Moodle sites to 4.5.5 this summer. Since that update, it seems that when an user has an alias mail different from their UserPrincipalName (UPN) in AzureAD/EntraID, instead of matching these users with their current existing account linked to their UPN in Moodle, OAuth2 is creating a new account that only populates Moodle's username and email fields with the mail alias. Changing their original account's email in Moodle with the alias mail from AzureAD/EntraID allows the user to log in onto that account and doesn't create a duplicate.
Looking at Moodle 4.5.5 code change, I see that there was a change in oauth2_client with a new method called 'get_additional_upgrade_token_parameters' linked to this tracker: https://moodle.atlassian.net/browse/MDL-80380. That said, it doesn't seem to be about authenticating with OAuth2, but rather a new way to set up outgoing mail from Moodle through an OAuth2 service.
We've investigated the corresponding apps in AzureAD/EntraID. It would seem most are set up as multitenant apps. We've tried updating to 4.5.6 as this fix looked promising: https://moodle.atlassian.net/browse/MDL-86004. Unfortunately, it didn't fix this issue. Creating a new multitenant app didn't work either. Some of our clients are reporting that they can't create single tenant app as they are met with an error message that prevents them from doing so.
Did anyone else face this issue? How come previous accounts were created in Moodle with the UPN in the username and email fields, but now it's the alias email? Is this something we can fix by changing the mapping for the OAuth2 service?
Thanks in advance,
Marius