Following MDL-61880 you could turn on "Authenticate token requests via
HTTP headers" but not turn this off again. This change fixes this and
adds a Behat scenario to test toggling this checkbox is saved
correctly.
Update oauth2 to allow mapping of provider attributes against
user profile fields. Fields can also be locked to prevent
user changes.
Co-Authored-By: Michael Milette <michael.milette@tngconsulting.ca>
Allow email account verification to be disabled for any Oauth2 provider.
Also add clear indications to administrators of the danger of doing do,
this is done by an additional form checkbox.
This patch also reverts MDL-66598
Some fields were being hidden based on whether the service was set up
for internal service use or was a service shown on the login page.
These fields refer to OAuth 2 logins and must be configurable for both
kinds of services.
IMS OBv2.1 services have a registration endpoint to get client id
and secret.
This patch adds and implements the "register" method for the IMS
Open Badges Connect discovery system, to get the proper client id
and secret values.
In order to make easier to create and maintain new OAuth2 services,
a couple of classes have been added:
- discovery\* contains methods related to the discovery system. Until
now, only OpenID Connect was supported by Moodle so all the code was
centralised in api.php.
With this patch, as IMS OBv2.1 has a different discovery system, a new
abstract class (base_definition) has been added to be called and let
every discovery system (OpenID Connect, IMS Badge Connect...)
implement their own methods.
- service\* . Instead of keep adding methods to the api, the service
namespace has been created to store all the standard issuer services.
An interface (issuer_interface) has been created and all the services
should implement it.
This patch creates the "IMS OBv2.1" and "Custom" services and moves
the methods for "Google" service because it uses the OpenID connect
discovery system.
* Only Facebook, Google, and Microsoft issuers can optionally offer to
require account confirmation via email. We will require email
confirmation for the rest of the issuers.
* New button allows to create standard issuer for nextcloud
* Since the endpoints url has to be https and nextcloud relys on the
baseurl to create the endpoints, the baseurl of issuers has now to be
https as well (or empty).
* Google's baseurl was changed to https (there was no reason not to),
whereas Facebook and Microsoft baseurls remain empty.
* In case of the creation of a nextcloud issuer, the baseurl is
required.
* Nextcloud requires the baseurl, therefore a parameter is added to
create_standard_issuer($type, $baseurl = false). That parameter not
required (or used) for anything but Nextcloud.
* Splitted the initialization of default values for issuers, the
creation of the issuer, and the creation of its endpoints. This is
a fix for following use case:
1. A user creates a standard issuer.
2. She cancels the form.
3. However, the issuer was already created. Thus, the cancel had no
effect.
* The function create_standard_issuer($type) can still be used to create
issuers programmatically if all required data is known beforehand (e.g.,
during upgrade or in tests).
Show the username and email of the connected system account (if it ever requires refreshing - this will help identity the account
to re-authorise).
Part of MDL-58220
