JWT SSO Authentication for Moodle (auth_jwtsso)

Authenticate users in Moodle using signed JSON Web Tokens (JWT) issued by your external Identity Provider (IdP).

The JWT SSO Authentication plugin allows seamless single sign-on (SSO) between Moodle and any system capable of generating signed JWTs — including Odoo, Keycloak, Django, Flask, or custom Python/Node/PHP IdPs.
It supports both IdP-initiated and SP-initiated login flows and enforces strict security and standards compliance.

🔐 Key Features

• Industry-standard JWT validation
  Supports RS256 and ES256 algorithms, verified against a JWKS endpoint or static PEM public key.

• Nonce-based replay protection
  Implements one-time use nonces (and optional JWT IDs) to ensure tokens cannot be reused.

• Flexible claim mapping
  Map user identity fields (username, email, given/family name) to custom claim names in the JWT.

• Just-in-time user provisioning (optional)
  Automatically creates Moodle accounts on first login if permitted.

• Detailed event logging (optional)
  Log key authentication events such as token reception, signature verification, and successful login.

• SP-initiated SSO support
  Adds a “Login via external SSO” button on the Moodle login page, generating and storing a fresh nonce before redirecting to the IdP.

• IdP-initiated SSO
  Accepts direct JWT-based redirects from trusted issuers for integration with Odoo, Keycloak, or other enterprise IdPs.