Authentication: OpenID Connect

auth_oidc
Maintained by Picture of James McQuillan James McQuillan, Picture of Mike Churchward Mike Churchward, Picture of Zion Brewer Zion Brewer, Picture of Charles Verge Charles Verge, Picture of Nima Mojgani Nima Mojgani
The OpenID Connect plugin provides single-sign-on functionality using configurable identity providers.
1449 sites
1k downloads
28 fans

OpenID Connect Authentication Plugin

The OpenID Connect plugin provides single-sign-on functionality using configurable identity providers, including Azure Active Directory. It is used as part of the Office 365 suite of plugins to connect to Azure Active Directory, but can be configured to provide SSO for other OpenID Connect providers as well.


This is part of the suite of Office 365 plugins for Moodle.

This plugin is updated with stable releases. To follow active development on GitHub, click here.


Contributing

Before we can accept your pull request, you'll need to electronically complete Microsoft's Contributor License Agreement. If you've done this for other Microsoft projects, then you're already covered.

Why a CLA? (from the FSF)


Copyright

(c) Microsoft, Inc.  Code for this plugin is licensed under the GPLv3 license.

Any Microsoft trademarks and logos included in these plugins are property of Microsoft and should not be reused, redistributed, modified, repurposed, or otherwise altered or used outside of this plugin.

Sets

This plugin is part of set Office 365.

Screenshots

Screenshot #0
Screenshot #1

Contributors

Picture of James McQuillan
James McQuillan (Lead maintainer)
Picture of Vinayak (Vin) Bhalerao
Vinayak (Vin) Bhalerao
Picture of Akinsaya Delamarre
Akinsaya Delamarre
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Zurina Saaya
    Tue, 2 Aug 2016, 10:49 AM
    Hi all,
    I received an email from Azure Team as following...
    ---------------
    "On August 15, 2016, the Azure Active Directory (Azure AD) signing key will roll over. Your application(s) may experience downtime if it does not automatically handle this rollover. ...

    If the application does not handle the signing key rollover, the application needs to be updated to the new signing key manually."
    ---------------

    I'm not sure whether OpenID can handle the signing key rollover automatically.
    If it is not, what should I do?

    Thanks
    Zurina
  • Picture of Shannon Talbot
    Fri, 2 Sep 2016, 1:55 PM
    Hi I've setup the OIDC plugin using the Client ID and Key given from AZURE AD
    I left my Auth Endpoint and Token Endpoints as the defaults (login.windows.... so on)
    The redirect URI is http://our.moodle.server.com/auth/oidc/
    I've used Authorization Request

    Running version 2.9

    I get the following error when setting an admin account for the Office plugin:
    OIDC id_token not received.
    with the following debug information:
    Debug info:
    Error code: errorauthnoidtoken
    Stack trace:
    line 145 of /auth/oidc/classes/loginflow/authcode.php: moodle_exception thrown
    line 77 of /auth/oidc/classes/loginflow/authcode.php: call to auth_oidc\loginflow\authcode->handleauthresponse()
    line 92 of /auth/oidc/auth.php: call to auth_oidc\loginflow\authcode->handleredirect()
    line 29 of /auth/oidc/index.php: call to auth_plugin_oidc->handleredirect()

    Any idea what's wrong here?
  • Wazza
    Fri, 16 Sep 2016, 5:39 PM
    We are using SAML for Moodle authentication. We have this plugin installed but disabled. Yet every day some users automatically get set to OpenID authentication.

    I think this happens when they are logged into Moodle and they go single sign on to Office 365. Somewhere the user is set to OpenID... after that they can no longer log in to Moodle.

    We are using Moodle 3.1 and OpenID 3.0.0.5. Is this bug known?
  • Wazza
    Fri, 16 Sep 2016, 5:40 PM
    Correction: version 30.0.0.5
  • Picture of James McQuillan
    Wed, 28 Sep 2016, 1:31 PM
    Hi Richard - can you provide any more information about what your users might be doing to initiate this? There are a few places where a user can switch to OpenID Connect, but it shouldn't happen without some kind of intentional action.
  • self portrait photograph
    Mon, 28 Nov 2016, 8:24 PM
    Hi, has there been any consideration of allowing configuration of multiple providers with this plugin? If a 3rd party developed this functionality, would it be in scope for merging upstream?
    E.g. O365 and HumanitarianID on the same Moodle site, both configured using the same instance of the OpenID connect plugin.
  • Picture of James McQuillan
    Tue, 29 Nov 2016, 4:02 AM
    @chris - we don't have a plan for that at the moment but do feel free to submit a pull request on GitHub. All development is done in a unified repository for Office 365 Moodle development - https://github.com/Microsoft/o365-moodle.
  • Picture of Hari Vege
    Wed, 1 Feb 2017, 1:47 AM
    I have a set of users already added into my moodle site with their email addresses being uni addresses and their username being their student ID. I now want them to login to their moodle account through their office 365 credentials and still access their original accounts instead of ending up creating new accounts. Any help in this regard.
  • Picture of James McQuillan
    Fri, 3 Feb 2017, 6:20 AM
    @hari vege - Have you connected the existing Moodle user accounts to their Office 365 accounts using the Office plugins? Not sure whether you need help doing that or whether you have done that and are experiencing problems.
  • Wazza
    Fri, 17 Feb 2017, 3:36 AM
    James, sorry for my late respons. I forgot to subscribe to this threat.

    I can't find out what my users are doing, but still they get switched to OpenID authentication in Moodle. I only notice this when I get reports about users not being able to login. Upon checking, I always find out that the users are switched to OpenID in stead of SAML.

    Is there any place where users can set this themselves? I can hardly imagine it. I think it happens when they click the Moodle TILE in the Office 365 environment. You know, the page where all the tiles are in Office 365 (tiles like Sharepoint, Delve, Word, etc. we have a Moodle tile there too.
  • Picture of Gopal Velusamy
    Fri, 17 Mar 2017, 1:08 PM
    Whether it's possible to do SSO using the OpenID connect plugin with Azure AD.
    Also Is there office 365 plugin mandatory for SSO with Azure AD?
  • Picture of James McQuillan
    Thu, 23 Mar 2017, 2:13 PM
    @richard - Are you on the newest version of the plugins? There was a specific situation, fixed around November, that could lead to a user being switched to OpenID Connect auth. It is possible for users to switch their authentication using the plugins, but this is disabled by default (controlled via capability that users are not given automatically). So next steps I would recommend that you upgrade to the newest version of the plugins, and verify you have not granted any auth/oidc capabilities to the users in question.
  • Picture of James McQuillan
    Thu, 23 Mar 2017, 2:14 PM
    @gopal You can do SSO with Azure AD using only this plugin. The rest of the Office 365 plugins provide additional features, but a simple SSO only requires this plugin.
  • Picture of Sung Choi
    Fri, 2 Jun 2017, 11:04 PM
    Hi,
    I just installed installed Office 365 integration plugin and following the configuration steps but can't do the step 2: Set system API user. When I click 'Set User' button, I see the page with 'Please configure OpenID Connect server endpoint.' and on the browser console, I see the message: '/local/o365/acp.php?mode=setsystemuser:1 GET http://example.com/local/o365/acp.php?mode=setsystemuser 404 (Not Found)'. And when I visited the Sign-on URL 'http://training.aerothreads.com/auth/oidc/' I get the same message, too. I feel like I am missing something obvious, but I can't figure out. Does anyone have similar experience and how did you resolve this?

    My Moodle version is 3.2.2+ (Build: 20170412)
  • Picture of Samuli Koskinen
    Tue, 11 Jul 2017, 9:06 PM
    Is there a way to get the 'email' attribute for the user, when using oidc to create a new account. This would be very crucial for me, since I got some automatic actions based on users email.
1 2 3
Please login to post comments