Moodle plugins directory: OpenID Connect | Moodle.org
OpenID Connect
OpenID Connect Authentication Plugin
The OpenID Connect plugin provides single-sign-on functionality using configurable identity providers, including Azure Active Directory. It is used as part of the Microsoft 365 suite of plugins to connect to Azure Active Directory, but can be configured to provide SSO integration between Moodle and other OpenID Connect providers as well.
This is part of the suite of Microsoft 365 plugins for Moodle.
To follow active development on GitHub, or to find historical versions, click here.
The supported Moodle versions of this plugin is in line with core Moodle version support.
Questions and issue reporting
Github should be used for reporting issues found when configuring or using the plugin, and to ask questions. The comments area on this page is not actively monitored.Contributing
Before we can accept your pull request, you'll need to electronically complete Microsoft's Contributor License Agreement. If you've done this for other Microsoft projects, then you're already covered.
Why a CLA? (from the FSF)
Copyright
(c) Microsoft, Inc.
Code for this plugin is licensed under the GPLv3 license.
Any Microsoft trademarks and logos included in these plugins are property of Microsoft and should not be reused, redistributed, modified, repurposed, or otherwise altered or used outside of this plugin.
Useful links
Screenshots
Now we have the problem if a user connect their account with the office365 account they were connected via the OpenID Connect and we lost them for our LDAP subscription (with the groups etc).
So is there a way to use the Office365 Plugins without OpenID connect, so that our students can use the office 365 integration and stay for our ldap subscription?
Looking forward to hear from you, thanks in advance
best regards
jtuttas
I have upgraded my moodle instance from version 3.7 to 3.8 including the some plugins.
Afterwards, I logged in with the admin user. Working.
Then checked a test user login, which was created and regularly synced with the plugin auth_oidc from Azure.
That doesn't work. I can create local users and login, but not with the users created and synced from Azure. (my problem)
I made a health check at Website-Administration -> Plugins -> local plugins -> Office365-Integration -> Advanced.
It replies: Office 365 API calls are executing at full speed.
I reran Azure-Setup within moodle, which states:
- Unified API is active
- Application Permissions Correct
- Permissions Correct
I syncronised users manually under scheduled tasks.
And received .... Could not assign user "user@domain.tld" Reason: No token available for usersync
Here may be my problem.
I cleaned OpenID Connect Tokens.
And checked Azure App-Registration within Microsoft Backend, which also seems fine.
I am a little lost now and ask you for help.
- Is this plugin with v3.7 still working with an v3.8 instance?
- And, does anyone have suggestions on the "auth_oidc" plugin issue and how to solve it?
Thanks to you all!
Martin
Runnig moodle 3.9.1 and oidc for authentication, new users cannot sign in
(current users can).
New (first time) users are forwarded to office365 login page, in the first try get the following error: "Error in API call: Insufficient privileges to complete the operation"
and then with every retry : "The existing token for this user does not contain a valid user ID"
Checked "auth_oidc_token" table, i see they get userid=0,
when checking the "users" table, they are not listed there at all
Deleting the userid=0 records from "auth_oidc_token" does not help, they get the same error and are again created only in the "auth_oidc_token" table.
To complete the picture
I have another moodle site with same configurations (as far as i can see) that seems to work fine (for same users)
Any Idea where to start ?
I coldnt solve the issue, so I replaced the OIDC folder with the older version's folder. now it works again (proving that the o365 is proparly configured)
but plugin page is requesting update.
anyway, it works for now, untill I find the solution.
We use 3.9.1 version of moodle.
I cannot successed old OIDC plugin methode. Everytime I login wants to update it.
I found that an old version of moodle (3.7 and 3.8) had the same problme and it was fixed later.
Is there any solution known for version 3.9.1+ because we really need to have this fixed.
New school year starts from 1st of September 2020 and I need to have 600 new students imported and working till then.
Please help ASAP!
when rolling back to older version, I get thae same upgrade requirment (for admin users) , but the OIDC works, I nelive it says that on Office365 configurations are still ok.
you can meanwhile follow this thread in Git: https://github.com/microsoft/o365-moodle/issues/1342 and maybe post your issue there as well.
some of the solutions (delete the tokens with userid=0) helped some of the people in the thread, dosnt work for me thogh.
we have the same problem but find a solution.
it was a permission in azure AD to update (User.Read)
After that, we execute manually a task (php admin/tool/task/cli/schedule_task.php --execute='\local_o365\task\refreshsystemrefreshtoken) if local_o365 is installed
Finally, we remove all token with userid = 0
For us, this problem is solved
What changes do I have to do on this?
and we use windows for moodle, how do I start the task you provide?
I upgraded moodle from 3.6.5 to 3.9 and this broke. New users cannot login but old ones can and they also can change password. So part of plugin works.
I found out that "Refresh system API user refresh token" task fails with error (Scheduled task failed: Refresh system API user refresh token (local_o365\task\refreshsystemrefreshtoken),Could not get app or system token).
Deleting tokens did not work. It constantly creates new ones with value zero (0).
What is the plan if there's no solution in a few days? I need to import new users to Azure AD and a working solution asap.
Is it better to downgrade back to 3.6 and upgrade to 3.8? Is there this solved?
Yesterday tried downgrade to 3.8 but got "upgrade requirment" loop.
DDL sql runtime error
Información de depuración: Table 'mdl_auth_oidc_prevlogin' already exists
CREATE TABLE mdl_auth_oidc_prevlogin (
id BIGINT(10) NOT NULL auto_increment,
userid BIGINT(10) NOT NULL,
method VARCHAR(255) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
password VARCHAR(255) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
CONSTRAINT PRIMARY KEY (id)
, UNIQUE KEY mdl_authoidcprev_use2_uix (userid)
)
ENGINE = InnoDB
DEFAULT COLLATE = utf8mb4_unicode_520_ci ROW_FORMAT=Compressed
COMMENT='Stores previous login methods.'
;
CREATE TABLE mdl_auth_oidc_state (
id BIGINT(10) NOT NULL auto_increment,
sesskey VARCHAR(10) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
state VARCHAR(15) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
nonce VARCHAR(15) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
timecreated BIGINT(10) NOT NULL,
additionaldata LONGTEXT COLLATE utf8mb4_unicode_520_ci,
CONSTRAINT PRIMARY KEY (id)
, KEY mdl_authoidcstat_sta2_ix (state)
, KEY mdl_authoidcstat_tim2_ix (timecreated)
)
ENGINE = InnoDB
DEFAULT COLLATE = utf8mb4_unicode_520_ci ROW_FORMAT=Compressed
COMMENT='Map of state to sesskey.'
;
CREATE TABLE mdl_auth_oidc_token (
id BIGINT(10) NOT NULL auto_increment,
oidcuniqid VARCHAR(255) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
username VARCHAR(100) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
userid BIGINT(10) NOT NULL DEFAULT 0,
oidcusername VARCHAR(255) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
scope LONGTEXT COLLATE utf8mb4_unicode_520_ci NOT NULL,
resource VARCHAR(127) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
authcode LONGTEXT COLLATE utf8mb4_unicode_520_ci NOT NULL,
token LONGTEXT COLLATE utf8mb4_unicode_520_ci NOT NULL,
expiry BIGINT(10) NOT NULL,
refreshtoken LONGTEXT COLLATE utf8mb4_unicode_520_ci NOT NULL,
idtoken LONGTEXT COLLATE utf8mb4_unicode_520_ci NOT NULL,
CONSTRAINT PRIMARY KEY (id)
, KEY mdl_authoidctoke_oid2_ix (oidcuniqid)
)
ENGINE = InnoDB
DEFAULT COLLATE = utf8mb4_unicode_520_ci ROW_FORMAT=Compressed
COMMENT='Stores tokens.'
Error code: ddlexecuteerror