o365-moodle icon indicating copy to clipboard operation
o365-moodle copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Unable to get a user token to access Moodle web services when using oidc auth code flow

Open charlesmulder opened this issue 3 years ago • 4 comments

When using Moodle manual login I am able to get a Moodle web service token for a specific user.

MOODLE_USERNAME=
MOODLE_PASSWORD=
$MOODLE_WEBSERVICE=moodle_mobile_app

curl "http://moodle.example.com/login/token.php?username=$MDL_USERNAME&password=$MOODLE_PASSWORD&service=$MOODLE_WEBSERVICE" | jq

We are using oidc auth code flow to allow for single signon, but also require fetching Moodle webservice tokens from Moodle.

My expectation was that I would be able to request a Moodle token by including an authorization header containing a bearer token from identity provider in token request. Something along the lines of

BEARER_TOKEN=
curl -H "Authorization: Bearer $BEARER_TOKEN" "http://moodle.example.com/login/token.php?username=$MOODLE_USERNAME&password=$MOODLE_PASSWORD&service=$MOODLE_WEBSERVICE

Or possibly replace the Moodle token with my bearer token eg.

curl --data "wstoken=$BEARER_TOKEN&wsfunction=core_course_get_courses&moodlewsrestformat=json" "http://moodle.example.com/webservice/rest/server.php"

However, the only way to retrieve a token is by adding code as a query parameter containing the auth code.

$AUTHCODE=
curl "http://moodle.example.omc/login/token.php?username=$MOODLE_USERNAME&password=$MOODLE_PASSWORD&service=$MOODLE_WEBSERVICE&code=$AUTHCODE"

We are using Keycloak as our identity provider. The auth code is made up of 3 uuid's concatenated by a full-stop. The 2nd segment is a session id and the 3rd segment is the client id. However, we haven't been able to figure out what the 1st segment is.

Would appreciate to hear your thoughts on the matter.

Thanks for reading. C

charlesmulder avatar Nov 11 '21 17:11 charlesmulder

Hi @charlesmulder,

I understand the starting point of your question. I haven't tried to use auth_oidc along with the mobile app, but your point seems to be valid.

However, it looks like the changes required are in /login/token.php, which are out of the scope and control of the Microsoft plugins. Maybe try to raise it in Moodle tracker? I suppose the problem you mentioned would apply to all authentication plugins that don't store password in the Moodle DB, so there's a chance that there are already similar questions in Moodle tracker or forum. You may want to check that first.

Regards, Lai

weilai-irl avatar Nov 12 '21 10:11 weilai-irl

Dear @weilai-irl

Thank you for your response. I will do as you suggested and revert with relevant feedback.

C

charlesmulder avatar Nov 12 '21 10:11 charlesmulder

@weilai-irl don't find any relevant issues on moodle tracker. I'll create a new one. Any suggestions or improvements to improve clarity of issue description is appreciated.

charlesmulder avatar Nov 12 '21 10:11 charlesmulder

Issue on Moodle tracker https://tracker.moodle.org/browse/MDL-73071

charlesmulder avatar Nov 12 '21 10:11 charlesmulder

@charlesmulder did you find a solution for your problem? If yes can you please share because I'm trying to do the exact same right now but I can't figure it out

SouheirSiren avatar Jan 03 '23 18:01 SouheirSiren

Hi @SouheirSiren

Don't recall resolving this issue. Think I settled for using Moodle tokens to query the Moodle API.

charlesmulder avatar Jan 04 '23 09:01 charlesmulder