o365-moodle icon indicating copy to clipboard operation
o365-moodle copied to clipboard
verified publisher icon microsoft

auto-login feature

Open aspark21 opened this issue 3 years ago • 4 comments

This was one of the really nice features we saw with going down the auth_saml2 route but have now committed to using auth_oidc. It would detect if the user was logged in with the IDP and if so then would redirect them & log them in without any interaction required (https://github.com/catalyst/moodle-auth_saml2/pull/426)

It importantly does not redirect all users all the time, just the ones that are logged in which could make them be logged in to Moodle completely transparently.

We would be willing to support the implementation of this feature in whichever way (our devs, funding, etc).

aspark21 avatar Aug 30 '22 14:08 aspark21

Hi @aspark21,

Thank you for reporting this. I'll discuss the feasibility of this work with my team and get back to you soon.

Regards, Lai

weilai-irl avatar Sep 01 '22 11:09 weilai-irl

Hi @aspark21,

I think I may need some clarification on the feature required, and if I understand it correctly, the auth_oidc plugin can already do it.

The main configuration relevant is Force redirect in auth_oidc (auth_oidc | forceredirect). If enabled, users trying to access the login page will skip the login index page and redirect to the OpenID Connect page. So if there is only one active user login in the browser session, the browser will try to login as this user.

There is another remotely relevant setting Force users to log in in Administration => Security => Site security settings (forcelogin). If enabled, users will be required to login to see anything on the site. Effectively this will trigger a redirect to the login page.

So if I understand your requirement correctly, using the combination of the two settings (or even the first one alone) should achieve what you want.

Obviously, if there are multiple active user login in the browser session, or if the login attempt using the active user failed (e.g. because the user is from a different tenant), users will still see the login page. This would be the expected results.

Please review the answer and let us know if this isn't what's required.

Regards, Lai

weilai-irl avatar Oct 14 '22 14:10 weilai-irl

Hi Lai,

That's why I mentioned "It importantly does not redirect all users all the time, just the ones that are logged in which could make them be logged in to Moodle completely transparently."

Our site allows Moodle Guest Login and also has manual accounts for testing purposes so redirecting everyone to AAD authentication is not an option and forcing users to login isn't either.

Thanks Alistair

aspark21 avatar Oct 18 '22 16:10 aspark21

Hi @aspark21

This is indeed related to the latest PR #2562, #2563 and #2564. We eventually found a way to implement this, using prompt=none for the prompt optional parameter in the authorization code request. See https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow.

A new setting is to be added to the auth_oidc plugin configuration. See the provisional description of the setting for details.

Screenshot 2024-05-28 at 17 16 38

Regards, Lai

weilai-irl avatar May 28 '24 16:05 weilai-irl

Hi @aspark21

This feature has been included in release 4.1.7, 4.2.6 and 4.3.4 on 2nd of July 2024. Please check out the latest version of the plugins to test and use this feature.

Regards, Lai

weilai-irl avatar Jul 02 '24 10:07 weilai-irl