Authentication: OpenID Connect
OpenID Connect Authentication Plugin
The OpenID Connect plugin provides single-sign-on functionality using configurable identity providers, including Azure Active Directory. It is used as part of the Office 365 suite of plugins to connect to Azure Active Directory, but can be configured to provide SSO for other OpenID Connect providers as well.
This is part of the suite of Office 365 plugins for Moodle.
To follow active development on GitHub, click here.
This plugin is updated with stable releases. This means:
- Bug fixes for general core bugs and security issues for all plugin versions for Moodle 3.7.x and earlier versions have ended, with the following exception:
- Bug fixes for security issues for Moodle 3.5.x versions will end 10 May 2021.
- Bug fixes for security issues for Moodle 3.7.x versions will end 9 November 2020.
- For plugin versions for Moodle 3.8:
- Bug fixes for general core bugs for plugin versions for Moodle 3.8.x will end 9 November 2020.
- Bug fixes for security issues for plugin versions for Moodle 3.8.x will end 10 May 2021.
- For plugin versions for Moodle 3.9:
- Bug fixes for security issues for plugin versions for Moodle 3.9.x will end 10 May 2021.
- Bug fixes for security issues for plugin versions for Moodle 3.9.x will end 8 May 2023.
Contributing
Before we can accept your pull request, you'll need to electronically complete Microsoft's Contributor License Agreement. If you've done this for other Microsoft projects, then you're already covered.
Why a CLA? (from the FSF)
Copyright
(c) Microsoft, Inc. Code for this plugin is licensed under the GPLv3 license.
Any Microsoft trademarks and logos included in these plugins are property of Microsoft and should not be reused, redistributed, modified, repurposed, or otherwise altered or used outside of this plugin.
Sets
Useful links
Screenshots
Contributors
I coldnt solve the issue, so I replaced the OIDC folder with the older version's folder. now it works again (proving that the o365 is proparly configured)
but plugin page is requesting update.
anyway, it works for now, untill I find the solution.
We use 3.9.1 version of moodle.
I cannot successed old OIDC plugin methode. Everytime I login wants to update it.
I found that an old version of moodle (3.7 and 3.8) had the same problme and it was fixed later.
Is there any solution known for version 3.9.1+ because we really need to have this fixed.
New school year starts from 1st of September 2020 and I need to have 600 new students imported and working till then.
Please help ASAP!
when rolling back to older version, I get thae same upgrade requirment (for admin users) , but the OIDC works, I nelive it says that on Office365 configurations are still ok.
you can meanwhile follow this thread in Git: https://github.com/microsoft/o365-moodle/issues/1342 and maybe post your issue there as well.
some of the solutions (delete the tokens with userid=0) helped some of the people in the thread, dosnt work for me thogh.
we have the same problem but find a solution.
it was a permission in azure AD to update (User.Read)
After that, we execute manually a task (php admin/tool/task/cli/schedule_task.php --execute='\local_o365\task\refreshsystemrefreshtoken) if local_o365 is installed
Finally, we remove all token with userid = 0
For us, this problem is solved
What changes do I have to do on this?
and we use windows for moodle, how do I start the task you provide?
I upgraded moodle from 3.6.5 to 3.9 and this broke. New users cannot login but old ones can and they also can change password. So part of plugin works.
I found out that "Refresh system API user refresh token" task fails with error (Scheduled task failed: Refresh system API user refresh token (local_o365\task\refreshsystemrefreshtoken),Could not get app or system token).
Deleting tokens did not work. It constantly creates new ones with value zero (0).
What is the plan if there's no solution in a few days? I need to import new users to Azure AD and a working solution asap.
Is it better to downgrade back to 3.6 and upgrade to 3.8? Is there this solved?
Yesterday tried downgrade to 3.8 but got "upgrade requirment" loop.
DDL sql runtime error
Información de depuración: Table 'mdl_auth_oidc_prevlogin' already exists
CREATE TABLE mdl_auth_oidc_prevlogin (
id BIGINT(10) NOT NULL auto_increment,
userid BIGINT(10) NOT NULL,
method VARCHAR(255) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
password VARCHAR(255) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
CONSTRAINT PRIMARY KEY (id)
, UNIQUE KEY mdl_authoidcprev_use2_uix (userid)
)
ENGINE = InnoDB
DEFAULT COLLATE = utf8mb4_unicode_520_ci ROW_FORMAT=Compressed
COMMENT='Stores previous login methods.'
;
CREATE TABLE mdl_auth_oidc_state (
id BIGINT(10) NOT NULL auto_increment,
sesskey VARCHAR(10) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
state VARCHAR(15) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
nonce VARCHAR(15) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
timecreated BIGINT(10) NOT NULL,
additionaldata LONGTEXT COLLATE utf8mb4_unicode_520_ci,
CONSTRAINT PRIMARY KEY (id)
, KEY mdl_authoidcstat_sta2_ix (state)
, KEY mdl_authoidcstat_tim2_ix (timecreated)
)
ENGINE = InnoDB
DEFAULT COLLATE = utf8mb4_unicode_520_ci ROW_FORMAT=Compressed
COMMENT='Map of state to sesskey.'
;
CREATE TABLE mdl_auth_oidc_token (
id BIGINT(10) NOT NULL auto_increment,
oidcuniqid VARCHAR(255) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
username VARCHAR(100) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
userid BIGINT(10) NOT NULL DEFAULT 0,
oidcusername VARCHAR(255) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
scope LONGTEXT COLLATE utf8mb4_unicode_520_ci NOT NULL,
resource VARCHAR(127) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
authcode LONGTEXT COLLATE utf8mb4_unicode_520_ci NOT NULL,
token LONGTEXT COLLATE utf8mb4_unicode_520_ci NOT NULL,
expiry BIGINT(10) NOT NULL,
refreshtoken LONGTEXT COLLATE utf8mb4_unicode_520_ci NOT NULL,
idtoken LONGTEXT COLLATE utf8mb4_unicode_520_ci NOT NULL,
CONSTRAINT PRIMARY KEY (id)
, KEY mdl_authoidctoke_oid2_ix (oidcuniqid)
)
ENGINE = InnoDB
DEFAULT COLLATE = utf8mb4_unicode_520_ci ROW_FORMAT=Compressed
COMMENT='Stores tokens.'
Error code: ddlexecuteerror
In my organization after an update of our Moodle Arquitecture (using AWS escalabilty), sometimes users get the following error, anyone has an idea how to trobleshoot it??
The arquitecture use: Redis , EFS, 2 moodle instances, AWS Loadbalances, and Gluster FS
Error Code: erroroidccall
stacktrace Image: https://ibb.co/VjZ0nrL
Error in OpenID Connect: AADSTS9002313: Invalid request. Request is malformed or invalid
When going into the Health Check it suggest that the System API User :Moodle does not have a token to communicate with Office 365 as the system API user. This can usually be resolved by resetting the system API user.
This has a fix it link. When we click the link it asks us to sign in with the API user and grant a load of permissions, then ends up back at the same page with the AADSTS9002313 error.
Any thoughts of what is causing this?
My users are getting the following error message when they try to single sign on into moodle through office.com:
Error in OpenID Connect: AADSTS9002313: Invalid request. Request is malformed or invalid.