This has been generated running the following Sniff,
part of the Moodle's CodeSniffer standard:
- PSR2.Methods.MethodDeclaration
It just ensures all the function declarations have
the correct order for:
- abstract and final.
- visibility (public, protected, private).
- static.
So, all the lines modified by this commit are function declarations
and the only changes are in the positions of those keywords.
Instead of creating the endpoints manually, and fetching the user info
from several endpoints, which also necessitates the use of a custom
client subclass, use the OpenId configuration endpoint to auto-configure
endpoints, and then use the userinfo endpoint to fetch user info.
The *.png files in pix/f folder have been removed, so their references
need to be updated to use the proper SVG file or a different icon, as
happened with logo_uri for oauth2 services.
The apiBase in .well-known/badgeconnect.json was ignored and it was
causing some failures when connecting or sending badges to an
external backpack.
For OBv2.1, it has been changed to always use the apiBase defined
in the badgeconnect.json backpack provider.
This makes it possible to share a single activity to a MoodleNet
instance (which has been enabled for sharing in site admin).
This utilises the core\moodlenet\activity_packager to create an
activity backup, then sends it using the MoodleNet create resource
API specification.
Originally implemented as MDL-75932
Simple JSON reader which takes an issuer and reads its metadata. The
class is aware of request-centric rules, such as:
- The position of the well known suffix in the URL (per RFC8414)
- The requirement to have HTTPS auth server issuer URL
- The validity of query strings, paths and fragments in the auth server
issuer URL
,but makes no attempt to validate the config JSON returned.
After the user creation, the system must call an update function to update profile_fields_*.
We also provided two functions into user/profile/lib.php to get available from other areas.
We added PHP unit testing for new public functions and
the Behat tests for custom profile fields with locked and unlocked statuses.
Co-authored-by: Matt Porritt <matt.porritt@moodle.com>
Update oauth2 to allow mapping of provider attributes against
user profile fields. Fields can also be locked to prevent
user changes.
Co-Authored-By: Michael Milette <michael.milette@tngconsulting.ca>
The method already loaded the validated persistent model data on the
previous line, there's no need to do it again (while also trying to
load unvalidated properties).
This patch should fix a regression introduced in MDL-75171, raised
while running the OBv2.1 certification.
The new method get_raw_userinfo() can return stdClass or false but
the second one was not taken into account from get_userid() (so an
error was thrown: "Argument 1 passed to
core\oauth2\client::map_userinfo_to_fields() must be an instance
of stdClass, bool given").
In cases where we have an id, load the persistent and then set new data
before saving. This ensures we don't delete fields which are missing in
the form data.
There is an issue with the current Badgr manifest because the image
URL contains double slash which is causing an error when storing it
in the database (https://api.test.badgr.com/static//images/logo.png).
This issue parses image URL and removes multiple slashes in URL.
When the oAuth2 issuer hasn't any userinfo endpoint, a call to
$this->get(false) was done, which was returning "The URL is
blocked".
This is a regression from MDL-70649, which added some cURL security
checks.
Create a new profile field type, move all existing content of the fields
'icq', 'skype', 'aim', 'yahoo', 'msn' and 'url' in the mdl_user table to
theses new profile fields if needed.
AMOS BEGIN
MOV [aimid,core],[aimid,courseimage,profilefield_social]
MOV [yahooid,core],[yahooid,profilefield_social]
MOV [skypeid,core],[skypeid,profilefield_social]
MOV [icqnumber,core],[icqnumber,profilefield_social]
MOV [msnid,core],[msnid,profilefield_social]
MOV [webpage,core],[webpage,profilefield_social]
AMOS END
In MDL-70689, Eloy and Helen suggested some fixes to improve this patch.
As this is a followup issue to move the pending services, this
very first commit will fix pending things raised in the parent issue.
IMS OBv2.1 services have a registration endpoint to get client id
and secret.
This patch adds and implements the "register" method for the IMS
Open Badges Connect discovery system, to get the proper client id
and secret values.
In order to make easier to create and maintain new OAuth2 services,
a couple of classes have been added:
- discovery\* contains methods related to the discovery system. Until
now, only OpenID Connect was supported by Moodle so all the code was
centralised in api.php.
With this patch, as IMS OBv2.1 has a different discovery system, a new
abstract class (base_definition) has been added to be called and let
every discovery system (OpenID Connect, IMS Badge Connect...)
implement their own methods.
- service\* . Instead of keep adding methods to the api, the service
namespace has been created to store all the standard issuer services.
An interface (issuer_interface) has been created and all the services
should implement it.
This patch creates the "IMS OBv2.1" and "Custom" services and moves
the methods for "Google" service because it uses the OpenID connect
discovery system.
If the request to the OAuth 2 token endpoint fails show the response
body the endpoint returned with its HTTP status (when debug: DEVELOPER).
If no response is available show any error returned by Curl. Previously
none of this information was available making troubleshooting difficult.
If a token refresh fails in \core\oauth2\refresh_system_tokens_task an
exception is now thrown so that the result is shown as "Fail" on
admin/tasklogs.php?filter=core\oauth2\refresh_system_tokens_task
There was a typo - missing underscore. As a result, the new refresh
token was never updated in the database. Depending on the issuer and
whether or when theyu invalidate issued refresh tokens, this might or
might not make the token refresh stop working.
Changes:
- The client can now be instantiated with the new mode enabled.
- A user refresh token will be stored if returned as part of the
authorization_code grant but only if the user is authenticated and only
if the mode is enabled.
- If the mode permits it, attempt to exchange a stored refresh token for
a new access token during login checks, allowing access to continue
across sessions without the need to re-grant consent every time.
- Purge all refresh tokens for a given user, issuer and scope on client
log out. This makes sure logout persists across logins.
The oauth2 standard does not require access tokens to have an
expiration date. This assumes a default validity period of 7 days unless
an explicit expiration date is communicated by the server.
* New button allows to create standard issuer for nextcloud
* Since the endpoints url has to be https and nextcloud relys on the
baseurl to create the endpoints, the baseurl of issuers has now to be
https as well (or empty).
* Google's baseurl was changed to https (there was no reason not to),
whereas Facebook and Microsoft baseurls remain empty.
* In case of the creation of a nextcloud issuer, the baseurl is
required.
* Nextcloud requires the baseurl, therefore a parameter is added to
create_standard_issuer($type, $baseurl = false). That parameter not
required (or used) for anything but Nextcloud.
* Splitted the initialization of default values for issuers, the
creation of the issuer, and the creation of its endpoints. This is
a fix for following use case:
1. A user creates a standard issuer.
2. She cancels the form.
3. However, the issuer was already created. Thus, the cancel had no
effect.
* The function create_standard_issuer($type) can still be used to create
issuers programmatically if all required data is known beforehand (e.g.,
during upgrade or in tests).
