Merge branch 'MDL-59512-master' of git://github.com/Dagefoerde/moodle

2025-01-19 14:27:22 +01:00 · 2017-11-21 11:13:30 +01:00 · 2017-11-21 11:13:30 +01:00 · eee87c8a24
commit eee87c8a24
parent 4b560e4a8e b323508554
8 changed files with 46 additions and 5 deletions
--- a/admin/tool/oauth2/classes/form/issuer.php
+++ b/admin/tool/oauth2/classes/form/issuer.php
@ -78,6 +78,10 @@ class issuer extends persistent {
        $mform->addRule('clientsecret', get_string('maximumchars', '', 255), 'maxlength', 255, 'client');
        $mform->addHelpButton('clientsecret', 'issuerclientsecret', 'tool_oauth2');

+        // Use basic authentication.
+        $mform->addElement('checkbox', 'basicauth', get_string('usebasicauth', 'tool_oauth2'));
+        $mform->addHelpButton('basicauth', 'usebasicauth', 'tool_oauth2');
+
        // Login scopes.
        $mform->addElement('text', 'loginscopes', get_string('issuerloginscopes', 'tool_oauth2'));
        $mform->addRule('loginscopes', null, 'required', null, 'client');
--- a/admin/tool/oauth2/lang/en/tool_oauth2.php
+++ b/admin/tool/oauth2/lang/en/tool_oauth2.php
@ -95,6 +95,8 @@ $string['systemaccountconnected_help'] = 'System accounts are used to provide ad
 $string['systemaccountconnected'] = 'System account connected';
 $string['systemaccountnotconnected'] = 'System account not connected';
 $string['systemauthstatus'] = 'System account connected';
+$string['usebasicauth'] = 'Authenticate token requests via HTTP headers';
+$string['usebasicauth_help'] = 'Utilize the HTTP Basic authentication scheme when sending client ID and password with a refresh token request. Recommended by the OAuth 2 standard, but may not be available with some issuers.';
 $string['userfieldexternalfield'] = 'External field name';
 $string['userfieldexternalfield_help'] = 'Name of the field provided by the external OAuth system.';
 $string['userfieldinternalfield_help'] = 'Name of the Moodle user field that should be mapped from the external field.';
--- a/lib/classes/oauth2/client.php
+++ b/lib/classes/oauth2/client.php
@ -70,6 +70,7 @@ class client extends \oauth2_client {
        if (empty($returnurl)) {
            $returnurl = new moodle_url('/');
        }
+        $this->basicauth = $issuer->get('basicauth');
        parent::__construct($issuer->get('clientid'), $issuer->get('clientsecret'), $returnurl, $scopes);
    }

@ -177,11 +178,17 @@ class client extends \oauth2_client {
        $refreshtoken = $systemaccount->get('refreshtoken');

        $params = array('refresh_token' => $refreshtoken,
-            'client_id' => $this->issuer->get('clientid'),
-            'client_secret' => $this->issuer->get('clientsecret'),
            'grant_type' => 'refresh_token'
        );

+        if ($this->basicauth) {
+            $idsecret = urlencode($this->issuer->get('clientid')) . ':' . urlencode($this->issuer->get('clientsecret'));
+            $this->setHeader('Authorization: Basic ' . base64_encode($idsecret));
+        } else {
+            $params['client_id'] = $this->issuer->get('clientid');
+            $params['client_secret'] = $this->issuer->get('clientsecret');
+        }
+
        // Requests can either use http GET or POST.
        if ($this->use_http_get()) {
            $response = $this->get($this->token_url(), $params);
--- a/lib/classes/oauth2/issuer.php
+++ b/lib/classes/oauth2/issuer.php
@ -72,6 +72,10 @@ class issuer extends persistent {
                'type' => PARAM_BOOL,
                'default' => false
            ),
+            'basicauth' => array(
+                'type' => PARAM_BOOL,
+                'default' => false
+            ),
            'scopessupported' => array(
                'type' => PARAM_RAW,
                'null' => NULL_ALLOWED,
--- a/lib/db/install.xml
+++ b/lib/db/install.xml
@ -3514,6 +3514,7 @@
        <FIELD NAME="scopessupported" TYPE="text" NOTNULL="false" SEQUENCE="false" COMMENT="The list of scopes this service supports."/>
        <FIELD NAME="enabled" TYPE="int" LENGTH="2" NOTNULL="true" DEFAULT="1" SEQUENCE="false"/>
        <FIELD NAME="showonloginpage" TYPE="int" LENGTH="2" NOTNULL="true" DEFAULT="1" SEQUENCE="false"/>
+        <FIELD NAME="basicauth" TYPE="int" LENGTH="2" NOTNULL="true" DEFAULT="0" SEQUENCE="false" COMMENT="Use HTTP Basic authentication scheme when sending client ID and password"/>
        <FIELD NAME="sortorder" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false" COMMENT="The defined sort order."/>
        <FIELD NAME="requireconfirmation" TYPE="int" LENGTH="2" NOTNULL="true" DEFAULT="1" SEQUENCE="false"/>
      </FIELDS>
--- a/lib/db/upgrade.php
+++ b/lib/db/upgrade.php
@ -2811,5 +2811,20 @@ function xmldb_main_upgrade($oldversion) {
    // Automatically generated Moodle v3.4.0 release upgrade line.
    // Put any upgrade step following this.

+    if ($oldversion < 2017111300.011) {
+
+        // Define field basicauth to be added to oauth2_issuer.
+        $table = new xmldb_table('oauth2_issuer');
+        $field = new xmldb_field('basicauth', XMLDB_TYPE_INTEGER, '2', null, XMLDB_NOTNULL, null, '0', 'showonloginpage');
+
+        // Conditionally launch add field basicauth.
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+        }
+
+        // Main savepoint reached.
+        upgrade_main_savepoint(true, 2017111300.011);
+    }
+
    return true;
 }
--- a/lib/oauthlib.php
+++ b/lib/oauthlib.php
@ -403,6 +403,8 @@ abstract class oauth2_client extends curl {
    private $mocknextresponse = '';
    /** @var array $upgradedcodes list of upgraded codes in this request */
    private static $upgradedcodes = [];
+    /** @var bool basicauth */
+    protected $basicauth = false;

    /**
     * Returns the auth url for OAuth 2.0 request
@ -542,12 +544,18 @@ abstract class oauth2_client extends curl {
    public function upgrade_token($code) {
        $callbackurl = self::callback_url();
        $params = array('code' => $code,
-            'client_id' => $this->clientid,
-            'client_secret' => $this->clientsecret,
            'grant_type' => 'authorization_code',
            'redirect_uri' => $callbackurl->out(false),
        );

+        if ($this->basicauth) {
+            $idsecret = urlencode($this->clientid) . ':' . urlencode($this->clientsecret);
+            $this->setHeader('Authorization: Basic ' . base64_encode($idsecret));
+        } else {
+            $params['client_id'] = $this->clientid;
+            $params['client_secret'] = $this->clientsecret;
+        }
+
        // Requests can either use http GET or POST.
        if ($this->use_http_get()) {
            $response = $this->get($this->token_url(), $params);
--- a/version.php
+++ b/version.php
@ -29,7 +29,7 @@

 defined('MOODLE_INTERNAL') || die();

-$version  = 2017111300.01;              // YYYYMMDD      = weekly release date of this DEV branch.
+$version  = 2017111300.011;              // YYYYMMDD      = weekly release date of this DEV branch.
                                        //         RR    = release increments - 00 in DEV branches.
                                        //           .XX = incremental changes.