Authentication: OpenID Connect

auth_oidc
Maintained by Picture of James McQuillan James McQuillan, Picture of Zion Brewer Zion Brewer, Picture of Nima Mojgani Nima Mojgani
The OpenID Connect plugin provides single-sign-on functionality using configurable identity providers.
1902 sites
2k downloads
35 fans

OpenID Connect Authentication Plugin

The OpenID Connect plugin provides single-sign-on functionality using configurable identity providers, including Azure Active Directory. It is used as part of the Office 365 suite of plugins to connect to Azure Active Directory, but can be configured to provide SSO for other OpenID Connect providers as well.


This is part of the suite of Office 365 plugins for Moodle.

This plugin is updated with stable releases. To follow active development on GitHub, click here.


Contributing

Before we can accept your pull request, you'll need to electronically complete Microsoft's Contributor License Agreement. If you've done this for other Microsoft projects, then you're already covered.

Why a CLA? (from the FSF)


Copyright

(c) Microsoft, Inc.  Code for this plugin is licensed under the GPLv3 license.

Any Microsoft trademarks and logos included in these plugins are property of Microsoft and should not be reused, redistributed, modified, repurposed, or otherwise altered or used outside of this plugin.

Sets

This plugin is part of set Office 365.

Screenshots

Screenshot #0
Screenshot #1

Contributors

Picture of James McQuillan
James McQuillan (Lead maintainer)
Picture of Vinayak (Vin) Bhalerao
Vinayak (Vin) Bhalerao
Picture of Akinsaya Delamarre
Akinsaya Delamarre
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of James McQuillan
    Fri, 3 Feb 2017, 6:20 AM
    @hari vege - Have you connected the existing Moodle user accounts to their Office 365 accounts using the Office plugins? Not sure whether you need help doing that or whether you have done that and are experiencing problems.
  • Wazza
    Fri, 17 Feb 2017, 3:36 AM
    James, sorry for my late respons. I forgot to subscribe to this threat.

    I can't find out what my users are doing, but still they get switched to OpenID authentication in Moodle. I only notice this when I get reports about users not being able to login. Upon checking, I always find out that the users are switched to OpenID in stead of SAML.

    Is there any place where users can set this themselves? I can hardly imagine it. I think it happens when they click the Moodle TILE in the Office 365 environment. You know, the page where all the tiles are in Office 365 (tiles like Sharepoint, Delve, Word, etc. we have a Moodle tile there too.
  • Picture of Gopal Velusamy
    Fri, 17 Mar 2017, 1:08 PM
    Whether it's possible to do SSO using the OpenID connect plugin with Azure AD.
    Also Is there office 365 plugin mandatory for SSO with Azure AD?
  • Picture of James McQuillan
    Thu, 23 Mar 2017, 2:13 PM
    @richard - Are you on the newest version of the plugins? There was a specific situation, fixed around November, that could lead to a user being switched to OpenID Connect auth. It is possible for users to switch their authentication using the plugins, but this is disabled by default (controlled via capability that users are not given automatically). So next steps I would recommend that you upgrade to the newest version of the plugins, and verify you have not granted any auth/oidc capabilities to the users in question.
  • Picture of James McQuillan
    Thu, 23 Mar 2017, 2:14 PM
    @gopal You can do SSO with Azure AD using only this plugin. The rest of the Office 365 plugins provide additional features, but a simple SSO only requires this plugin.
  • Picture of Sung Choi
    Fri, 2 Jun 2017, 11:04 PM
    Hi,
    I just installed installed Office 365 integration plugin and following the configuration steps but can't do the step 2: Set system API user. When I click 'Set User' button, I see the page with 'Please configure OpenID Connect server endpoint.' and on the browser console, I see the message: '/local/o365/acp.php?mode=setsystemuser:1 GET http://example.com/local/o365/acp.php?mode=setsystemuser 404 (Not Found)'. And when I visited the Sign-on URL 'http://training.aerothreads.com/auth/oidc/' I get the same message, too. I feel like I am missing something obvious, but I can't figure out. Does anyone have similar experience and how did you resolve this?

    My Moodle version is 3.2.2+ (Build: 20170412)
  • Picture of Samuli Koskinen
    Tue, 11 Jul 2017, 9:06 PM
    Is there a way to get the 'email' attribute for the user, when using oidc to create a new account. This would be very crucial for me, since I got some automatic actions based on users email.
  • Picture of ajay kotnala
    Wed, 26 Jul 2017, 6:58 PM
    Hi,

    I am trying to consume this library with existing Identityserver 3 integration.
    I am using

    $plugin->version = 2016120501;
    $plugin->requires = 2016120500;
    $plugin->component = 'auth_oidc';
    $plugin->maturity = MATURITY_STABLE;
    $plugin->release = '3.2.0.1';

    and I have one client in Identityserver 3 with
    redirect URI
    Flow is Authorization code
    Logout Uri and almost everything.
    I have already tried this client(idsrv3) with another application and it is working fine.

    In DashboardSite --> administration -->Plugins -->Authentication -->OpenID Connect

    i have configure
    Provider name = OpenID Connect
    ClientId = same as idsrv3
    Authorization endpoint= https://myidentityserver3.com/identity
    Token Endpoint= https://myidentityserver3.com/identity/connect/token
    Redirect URI = https://localhost/moodle/auth/oidc/
    Authentication Method = Authorization Code Flow (recommended)

    but it is not showing any link or any changes on my login page.
    please suggest me if it works with identityserver3 or not.
    if yes then what is I am missing?

    Thanks,
    ajay kotnala
    kotnala.ajayk@gmail.com
  • Picture of Thomas College
    Wed, 2 Aug 2017, 9:57 PM
    We are currently using the OIDC plugin for Office 365 authentication. Would there be any benefit to moving from the OIDC plugin to the built in OAuth2 plugin available in Moodle 3.3 core? It seems to me that OIDC would be the better choice, but I was hoping to get input from those more knowledgeable than me.

    Thanks
  • Picture of Anderson Hsu
    Sat, 12 Aug 2017, 9:23 PM
    Can we use the plugin for SSO with confluence and moodle ? We try to find singal sign on plugin for confluence and moodle . Thanks a lot.
  • Picture of W Roes
    Wed, 8 Nov 2017, 5:57 PM
    What happens if a username (upn) is updated in ADFS? As far as I can see in loginflow/authcode.php/handlelogin it then tries to login with the old username even though this was updated in Moodle as well.

    Thanks,
    Willem
  • Picture of A Guy
    Tue, 13 Mar 2018, 6:18 AM
    We have Moodle 2.7. I've installed your plugin. But when I click on the OpenID Connect icon on the login page I get
    [12-Mar-2018 21:31:10 UTC] Default exception handler: Error in OpenID Connect. Please check logs for more information. Debug:
    Error code: erroroidccall
    * line 47 of /auth/oidc/classes/utils.php: moodle_exception thrown
    * line 252 of /auth/oidc/classes/oidcclient.php: call to auth_oidc\utils::process_json_response()
    * line 177 of /auth/oidc/classes/loginflow/authcode.php: call to auth_oidc\oidcclient->tokenrequest()
    * line 84 of /auth/oidc/classes/loginflow/authcode.php: call to auth_oidc\loginflow\authcode->handleauthresponse()
    * line 105 of /auth/oidc/auth.php: call to auth_oidc\loginflow\authcode->handleredirect()
    * line 29 of /auth/oidc/index.php: call to auth_plugin_oidc->handleredirect()

    It looks like in utils.php there is a NULL value. Where do I start debugging this?
  • Picture of Troy Fennell
    Thu, 5 Apr 2018, 3:16 AM
    How can I add a regular expression to the OpenID Connect User Restrictions field? I have added google.com and @google.com so only those with a google.com email address can use the SSO access. But both times I get an error:

    This site has restrictions in place on the users that can log in with OpenID Connect. These restrictions currently prevent you from completing this login attempt.

    We are using an Identity Server 4. Should this parameter be established there or can we just do it at the LMS?
  • Picture of Gustė Briedytė
    Wed, 23 May 2018, 8:19 PM
    I'm facing basically the same problem as @A Guy , only difference being authcode.php seems to have gotten an extra 21 lines on my system. Does anyone have any thoughts, ideas, suggestions?
  • Picture of Stead Halstead
    Sat, 9 Jun 2018, 12:48 AM
    Hello! We're all good to go with the plugins - when we use the csv method of bulk connecting moodle accounts to office365, all is great.

    We're trying to figure out creation of new user accounts. We do not have the auto create account setting turned on (currently set to prevent) because we have some AD users that should not be able to sign into moodle. When we create a new account and tell it to use Open ID connect, the user gets "Invalid login: User not found in Moodle. If this site has the "authpreventaccountcreation" setting enabled, this may mean you need an administrator to create an account for you first." when the attempt to sign in with the Open ID link to Office 365.

    Is there a process by which newly created accounts can be automatically connected to Office 365/moodle accounts? The email address & username is the same. In this example, steadstudent1@university.edu is the O365 account, the moodle user is steadstudent1.

    Thanks!
    -Stead
1 2 3 4
Please login to post comments