MDL-58220 oauth2: Use email as default username

And give better error messages.

auth/oauth2/classes/auth.php

@@ -365,12 +365,12 @@ class auth extends \auth_plugin_base {
         $userinfo = $client->get_userinfo();
 
         if (!$userinfo) {
-            $errormsg = get_string('notloggedin', 'auth_oauth2');
+            $errormsg = get_string('loginerror_nouserinfo', 'auth_oauth2');
             $SESSION->loginerrormsg = $errormsg;
             redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php'));
         }
         if (empty($userinfo['username']) || empty($userinfo['email'])) {
-            $errormsg = get_string('notloggedin', 'auth_oauth2');
+            $errormsg = get_string('loginerror_userincomplete', 'auth_oauth2');
             $SESSION->loginerrormsg = $errormsg;
             redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php'));
         }
@@ -414,7 +414,7 @@ class auth extends \auth_plugin_base {
         }
         $issuer = $client->get_issuer();
         if (!$issuer->is_valid_login_domain($userinfo['email'])) {
-            $errormsg = get_string('notloggedin', 'auth_oauth2');
+            $errormsg = get_string('notloggedindebug', 'auth_oauth2', get_string('loginerror_invaliddomain', 'auth_oauth2'));
             $SESSION->loginerrormsg = $errormsg;
             redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php'));
         }
@@ -448,7 +448,8 @@ class auth extends \auth_plugin_base {
 
                 if (email_is_not_allowed($userinfo['email'])) {
                     // The username exists but the emails don't match. Refuse to continue.
-                    $errormsg = get_string('emailnotallowed', 'auth_oauth2');
+                    $reason = get_string('loginerror_invaliddomain', 'auth_oauth2');
+                    $errormsg = get_string('notloggedindebug', 'auth_oauth2', $reason);
                     $SESSION->loginerrormsg = $errormsg;
                     redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php'));
                 }
@@ -477,7 +478,7 @@ class auth extends \auth_plugin_base {
             $this->update_picture($user);
             redirect($redirecturl);
         }
-        $errormsg = get_string('notloggedin', 'auth_oauth2');
+        $errormsg = get_string('notloggedindebug', 'auth_oauth2', get_string('loginerror_authenticationfailed', 'auth_oauth2'));
         $SESSION->loginerrormsg = $errormsg;
         redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php'));
     }

auth/oauth2/lang/en/auth_oauth2.php

@@ -22,29 +22,27 @@
  * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 
+$string['accountexists'] = 'A user already exists on this site with this username. If this is your account, login manually and link this link from your preferences page.';
 $string['auth_oauth2description'] = 'OAuth 2 standards based authentication';
 $string['auth_oauth2settings'] = 'OAuth 2 authentication settings.';
-$string['notloggedin'] = 'The login attempt failed.';
-$string['plugindescription'] = 'This authentication plugin displays a list of the configured identity providers on the moodle login page. Selecting an identity provider allows users to login with their credentials from an OAuth 2 provider.';
-$string['pluginname'] = 'OAuth 2';
-$string['emailconfirmlink'] = 'Link your accounts';
-$string['emailconfirmlinksent'] = '<p>An existing account was found with this email address but it is not linked yet.</p>
-   <p>The accounts must be linked before you can login.</p>
-   <p>An email should have been sent to your address at <b>{$a}</b></p>
-   <p>It contains easy instructions to link your accounts.</p>
-   <p>If you continue to have difficulty, contact the site administrator.</p>';
-$string['oauth2:managelinkedlogins'] = 'Manage own linked login accounts';
-$string['linkedlogins'] = 'Linked logins';
-$string['accountexists'] = 'A user already exists on this site with this username. If this is your account, login manually and link this link from your preferences page.';
-$string['linkedloginshelp'] = 'Help with linked logins.';
-$string['notwhileloggedinas'] = 'Linked logins cannot be managed while logged in as another user.';
-$string['issuer'] = 'OAuth 2 Service';
-$string['info'] = 'External account';
-$string['createnewlinkedlogin'] = 'Link a new account ({$a})';
+$string['confirmaccountemail'] = 'Hi {$a->fullname},
+
+A new account has been requested at \'{$a->sitename}\'
+using your email address.
+
+To confirm your new account, please go to this web address:
+
+{$a->link}
+
+In most mail programs, this should appear as a blue link
+which you can just click on.  If that doesn\'t work,
+then cut and paste the address into the address
+line at the top of your web browser window.
+
+If you need help, please contact the site administrator,
+{$a->admin}';
+$string['confirmaccountemailsubject'] = '{$a}: account confirmation';
 $string['confirmationpending'] = 'This account is pending email confirmation.';
-$string['emailnotallowed'] = 'The email address is not permitted at this site.';
-$string['createaccountswarning'] = 'This authentication plugin allows users to create accounts on your site. You may want to enable the setting "authpreventaccountcreation" if you use this plugin.';
-$string['selfregistrationdisabled'] = 'No matching account could be found on this site, and this site does not allow self registration.';
 $string['confirmlinkedloginemail'] = 'Hi {$a->fullname},
 
 A request has been made to link the {$a->issuername} login
@@ -63,20 +61,24 @@ line at the top of your web browser window.
 If you need help, please contact the site administrator,
 {$a->admin}';
 $string['confirmlinkedloginemailsubject'] = '{$a}: linked login confirmation';
-$string['confirmaccountemail'] = 'Hi {$a->fullname},
-
-A new account has been requested at \'{$a->sitename}\'
-using your email address.
-
-To confirm your new account, please go to this web address:
-
-{$a->link}
-
-In most mail programs, this should appear as a blue link
-which you can just click on.  If that doesn\'t work,
-then cut and paste the address into the address
-line at the top of your web browser window.
-
-If you need help, please contact the site administrator,
-{$a->admin}';
-$string['confirmaccountemailsubject'] = '{$a}: account confirmation';
+$string['createaccountswarning'] = 'This authentication plugin allows users to create accounts on your site. You may want to enable the setting "authpreventaccountcreation" if you use this plugin.';
+$string['createnewlinkedlogin'] = 'Link a new account ({$a})';
+$string['emailconfirmlink'] = 'Link your accounts';
+$string['emailconfirmlinksent'] = '<p>An existing account was found with this email address but it is not linked yet.</p>
+   <p>The accounts must be linked before you can login.</p>
+   <p>An email should have been sent to your address at <b>{$a}</b></p>
+   <p>It contains easy instructions to link your accounts.</p>
+   <p>If you continue to have difficulty, contact the site administrator.</p>';
+$string['info'] = 'External account';
+$string['issuer'] = 'OAuth 2 Service';
+$string['linkedlogins'] = 'Linked logins';
+$string['linkedloginshelp'] = 'Help with linked logins.';
+$string['loginerror_userincomplete'] = 'The user information returned did not contain a username and email address. The OAuth 2 service may be configured incorrectly.';
+$string['loginerror_nouserinfo'] = 'No user information was returned. The OAuth 2 service may be configured incorrectly.';
+$string['loginerror_invaliddomain'] = 'The email address is not allowed at this site.';
+$string['loginerror_authenticationfailed'] = 'The authentication process failed.';
+$string['notloggedindebug'] = 'The login attempt failed. Reason: {$a}';
+$string['notwhileloggedinas'] = 'Linked logins cannot be managed while logged in as another user.';
+$string['oauth2:managelinkedlogins'] = 'Manage own linked login accounts';
+$string['plugindescription'] = 'This authentication plugin displays a list of the configured identity providers on the moodle login page. Selecting an identity provider allows users to login with their credentials from an OAuth 2 provider.';
+$string['pluginname'] = 'OAuth 2';

lib/classes/oauth2/api.php

@@ -107,7 +107,6 @@ class api {
             'name' => 'alternatename',
             'last_name' => 'lastname',
             'email' => 'email',
-            'third_party_id' => 'username',
             'first_name' => 'firstname',
             'picture-data-url' => 'picture',
             'link' => 'url',
@@ -163,8 +162,7 @@ class api {
         $mapping = [
             'givenName' => 'firstname',
             'surname' => 'lastname',
-            'mail' => 'email',
-            'userPrincipalName' => 'username',
+            'userPrincipalName' => 'email',
             'displayName' => 'alternatename',
             'officeLocation' => 'address',
             'mobilePhone' => 'phone1',
@@ -425,7 +423,6 @@ class api {
             'middle_name' => 'middlename',
             'family_name' => 'lastname',
             'email' => 'email',
-            'sub' => 'username',
             'website' => 'url',
             'nickname' => 'alternatename',
             'picture' => 'picture',

lib/classes/oauth2/client.php

@@ -269,6 +269,10 @@ class client extends \oauth2_client {
             }
         }
 
+        if (empty($user->username) && !empty($user->email)) {
+            $user->username = $user->email;
+        }
+
         if (!empty($user->picture)) {
             $user->picture = download_file_content($user->picture, null, null, false, 10, 10, true, null, false);
         } else {