JWT SSO authentication

Authentication ::: auth_jwtsso
Maintained by Christopher Reimann
Moodle authentication plugin for secure Single Sign-On using signed JWTs (with nonce/jti replay protection, JWKS or PEM key validation, and detailed event logging).

JWT SSO authentication v1.0.0 (Build: 20251103)

Moodle 4.5, 5.0, 5.1
Released: Monday, 3 November 2025, 5:58 PM
Download

Code prechecks

overview phplint phpcs0 | 28 js css phpdoc savepoint thirdparty grunt shifter mustache gherkin
HTML | XML

🟩 Release Notes – v1.0.0 (2025-11-03)

This is the first stable release of JWT SSO authentication (auth_jwtsso), a lightweight and secure single-sign-on solution for Moodle 4.5 and later.

✨ Highlights

  • 🔐 JWT-based authentication using RS256/ES256 signatures (via PEM or JWKS).
  • 🧩 Supports IdP-initiated and SP-initiated flows.
  • ⚙️ Full configuration UI for issuer, audience, JWKS endpoint or manual key, allowed algorithms, and nonce lifetime.
  • 👤 Just-in-time user provisioning (optionally creates users on first login).
  • 🧾 Granular event logging (token received, validated, provisioned, login completed).
  • 🧪 Comprehensive Behat and PHPUnit tests for validation and login flows.
  • 🧰 Includes a Python example IdP (Flask) demonstrating a complete JWT SSO flow and nonce exchange.
  • ⚡ Lightweight, no OAuth 2.0 complexity — ideal for custom back-ends (e.g. Odoo, Flask, FastAPI).

🛡️ Security features

  • Strict validation of iss, aud, exp, iat, and nonce claims.
  • One-time use nonces stored and expired via scheduled cleanup task.
  • Algorithm allow-list (no none support).
  • JWKS cache with kid selection and RSA/EC support.
  • No raw token data ever logged.
  • HTTPS recommended and enforced in production.

🧑‍💻 Developer features

  • Well-documented PHP API and typed classes under auth_jwtsso\local\.
  • Events expose validated claims to allow integration with other plugins (e.g. assign roles based on IdP claims).
  • Behat data generators and fixtures for integration testing.
  • Fully compliant with Moodle coding standards and PHP 8.3.

🧩 Compatibility

  • ✅ Tested with Moodle 4.5 (20241007) and PHP 8.3 / PostgreSQL 14+.
  • ⚠️ Not compatible with Moodle 4.4 or earlier (due to core API changes).

🧰 Installation & Docs

  1. Copy to auth/jwtsso/ and install via Site administration → Notifications.
  2. Configure issuer, audience, and public key under Plugins → Authentication → JWT SSO.
  3. See the included examples/idp_example.py for a working Flask Identity Provider.
  4. Detailed developer documentation in README.md.

📦 Version info

  • Component: auth_jwtsso
  • Version: 2025110300
  • Release: v1.0.0 (Build 20251103)
  • Requires: Moodle 4.5 (20241007) or later
  • License: GPL v3 or later
  • Author: Christopher Reimann (@LearningSecured)

Version information

Version build number
2025110301
Version release name
v1.0.0 (Build: 20251103)
Maturity
Stable version
MD5 Sum
d84f20bd039d382a2d1d09d6b7cb0fb2
Supported software
Moodle 4.5, Moodle 5.0, Moodle 5.1
  • Latest release for Moodle 4.5
  • Latest release for Moodle 5.0
  • Latest release for Moodle 5.1

Version control information

Version control system (VCS)
GIT
VCS repository URL

Default installation instructions for plugins of the type Authentication

  1. Make sure you have all the required versions.
  2. Download and unpack the module.
  3. Place the folder (eg "myauth") in the "auth" subdirectory.
  4. Visit http://yoursite.com/admin to finish the installation