Authentication: OpenID Connect

auth_oidc
Maintained by Picture of James McQuillan James McQuillan, Picture of Zion Brewer Zion Brewer, Picture of Nima Mojgani Nima Mojgani
The OpenID Connect plugin provides single-sign-on functionality using configurable identity providers.
Picture of Mike Churchward
Mike Churchward
Thursday, 17 March 2016, 3:17 AM
Usability
10/10
Technical
8/10
General comments

Version Reviewed: 30.0.0.5


Summary:
The OpenID Connect plugin is used to authenticate users against any site or authentication tool that supports the OpenID Connect specification. It is bundled with the Microsoft Office 365 plugins and is used to provide single sign on support with Microsoft Office 365. This plugin is essential for providing single sign on within the other plugins in the Office 365 suite of plugins.

The OpenID Connect provides institutions with two login workflows options to meet their specific needs. The first option allows users to use their Office 365 email and password to login directly using moodle’s username and password fields. This provides users with a simple login workflow, but does not sign the user into Office 365. The second workflow requires the user to click a link to login through Office 365 or the OpenID Connect provider on their page.

Overall OpenID Connect is a useful plugin for the Office 365 integration and it provides the single sign on option to institutions and enables the Office 365 features. It needs to be tested with other OpenID Connect providers to determine if it is useful outside of Office 365.

Confidence:

The OpenID Connect plugin is new, but is supported by both Microsoft and Remote-Learner. Both Microsoft and Remote-Learner have been actively maintaining the plugin with a very agile release schedule. The plugin works well with office 365 the open question is whether it will work equally as well with other OpenID Connect providers.


Usability

Installation:

The OpenID Connect plugin is installed in the normal process for plugins either cloning the git repository or downloading the zip file and following the steps below.

  1. Unpack the plugin into /auth/oidc within your Moodle install.

  2. From the Moodle Administration block, expand Site Administration and click "Notifications".

  3. Follow the on-screen instructions to install the plugin.

  4. To configure the plugin, from the Moodle Administration block, go to Site Administration > Plugins > Authentication > Manage Authentication.

  5. Click the icon to enable the plugin, then visit the settings page to configure the plugin. Follow the directions below each setting.

Once the plugin is installed user accounts will need to be changed to use the authentication type or created using the authentication type. The office 365 local plugin can help automate this process.

Walkthrough:

The workflow for using the plugin is the same for any user and will vary based on the login workflow that an institution chooses to use.

 Authorization Request

In this login workflow the user navigates to the login page for Moodle and clicks on the link under login using your account on. The name of the link can be controlled by the administrator within the OpenID Connect settings. The user then logs in using the external system’s OpenID Connect process. For Office 365 this can be as simple as selecting your account if you have logged in before, or you will need to type in your email address and password. Once you have authenticated with the External system you are returned to Moodle. At this point the user is signed into both Moodle as well as the OpenID Connect system and any subsequent access to the system supporting the OpenID Connect system will have the user automatically logged in.

Username/Password Authentication

In this login workflow the user logs into Moodle using their username and password for the OpenID Connect system in the username and password fields of the Moodle login page. After the user clicks the login button the username and password is validated with the OpenID Connect system and the user is then logged into Moodle. With this login workflow the user is not signed into the OpenID Connect system. That system is just used to validate that the username and password are correct. Any use of the OpenID Connect Service provider will require the user to login to that system separately. For example if I accessed the OneDrive for Business repository I would be required to login to Office 365 again.

Documentation:

The documentation is sufficient for the plugin when it comes to using it with Office 365. It walks through the configuration of the plugin as well as how to transition users to using the authentication plugin.

The documentation currently doesn’t help an administrator configure the plugin to work with other OpenID Connect service providers. Once the configuration is completed and working the transition documentation will be applicable for any OpenID Connect provider.

Uses:

OpenID Connect is used to allow institutions to sign users into systems that support the OpenID Connect framework. The major benefit is that it allows a reduction in the number of logins with integrations to external systems that support the same authentication framework.

Accessibility

No formal accessibility testing was done on this plugin. However, nothing has come up in our other tests to indicate a problem. In the future, we will be developing more formal accessibility testing suites and will redo them then.

Technical

Code Review:

Full code testing results

(Scores out of 2 - 2 = perfect; 1 = some concerns; 0 = problems.)
Tested for PHP 5.6 and 7 on both MySQL and Postgres. No version of technology problems were found. Score - 2.
Installation test (mpci install) - no problems. Score 2.
PHP syntax test (mpci phplint) - no problems. Score 2.
PHP copy/paste detector (mpci phpcpd) - No duplications. Score 2.
PHP code complexity (mpci phmd) - generally code is okay. Twelve files out of ~40 flagged with simple and difficult violations. Score - 1.
Moodle code guidelines (mpci codechecker) - Several minor Moodle coding guideline violations (37% of files violate). Score - 1.
CSS syntax test (mpci csslint) -no problems. Score 2.
JS syntax test (mpci jshint) - no files. Score 2.
Moodle plugin structure test - Passed. Score - 2.
PHPUnit tests - 17 tests / 37 assertions passed. Score - 2.
Behat tests - No tests provided. Score - 0.
Total score 18 / 22 - 82%.  

Maintenance Review:

(Scores out of 2 - 2 = confident; 1 = nervous; 0 = concerned.)
Lifetime: Plugin has existed since January 2015 on version 2.7. Score - 1
Releases: Frequent releases to Moodle plugins DB, with the latest in February 2016. Score - 2
Maintainers: James McQuillan of Remote-Learner (former Moodle Partner) and Microsoft. Score - 2
Support Response: Has a component in Moodle Tracker. Uses Github tracker. Uses Moodle forums. Responds in plugins DB. Score - 2
Release timing: How quickly is a release made available to a major Moodle release? 3.0, 2.9, 2.8, 2.7 met criteria. Score - 2

 Total score 9 / 10 - 90%.