This adds support for new language tags in OAuth2's
"Additional Parameters Included in a Login Request"
field. Available tags include:
Tags Example value
-----------------------------
{lang} fr
{LANG} FR
{language} fr_ca
{LANGUAGE} FR_CA
{lan-guage} fr-ca
{LAN-GUAGE} FR-CA
This patch should fix a regression introduced in MDL-75171, raised
while running the OBv2.1 certification.
The new method get_raw_userinfo() can return stdClass or false but
the second one was not taken into account from get_userid() (so an
error was thrown: "Argument 1 passed to
core\oauth2\client::map_userinfo_to_fields() must be an instance
of stdClass, bool given").
When the oAuth2 issuer hasn't any userinfo endpoint, a call to
$this->get(false) was done, which was returning "The URL is
blocked".
This is a regression from MDL-70649, which added some cURL security
checks.
If the request to the OAuth 2 token endpoint fails show the response
body the endpoint returned with its HTTP status (when debug: DEVELOPER).
If no response is available show any error returned by Curl. Previously
none of this information was available making troubleshooting difficult.
If a token refresh fails in \core\oauth2\refresh_system_tokens_task an
exception is now thrown so that the result is shown as "Fail" on
admin/tasklogs.php?filter=core\oauth2\refresh_system_tokens_task
There was a typo - missing underscore. As a result, the new refresh
token was never updated in the database. Depending on the issuer and
whether or when theyu invalidate issued refresh tokens, this might or
might not make the token refresh stop working.
Changes:
- The client can now be instantiated with the new mode enabled.
- A user refresh token will be stored if returned as part of the
authorization_code grant but only if the user is authenticated and only
if the mode is enabled.
- If the mode permits it, attempt to exchange a stored refresh token for
a new access token during login checks, allowing access to continue
across sessions without the need to re-grant consent every time.
- Purge all refresh tokens for a given user, issuer and scope on client
log out. This makes sure logout persists across logins.
The oauth2 standard does not require access tokens to have an
expiration date. This assumes a default validity period of 7 days unless
an explicit expiration date is communicated by the server.
MS makes a big mess of returning scopes from oauth requests. They only return the custom MS scopes like
User.Read and they never return non-MS scopes (like openid, profile, email).
