diff --git a/auth/oidc/lang/en/auth_oidc.php b/auth/oidc/lang/en/auth_oidc.php
index 82604f0e3..3504f977e 100644
--- a/auth/oidc/lang/en/auth_oidc.php
+++ b/auth/oidc/lang/en/auth_oidc.php
@@ -154,6 +154,8 @@
$string['settings_section_other_params'] = 'Other parameters';
$string['authentication_and_endpoints_saved'] = 'Authentication and endpoint settings updated.';
$string['application_updated'] = 'OpenID Connect application setting was updated.';
+$string['application_updated_azure'] = 'OpenID Connect application setting was updated.
+Azure administrator will need to Provide admin consent and Verify setup again on the Microsoft 365 integration configuration page if "Identity Provider (IdP) Type" or "Client authentication method" settings are updated.';
$string['event_debug'] = 'Debug message';
diff --git a/auth/oidc/manageapplication.php b/auth/oidc/manageapplication.php
index e5da71341..39d6a947e 100644
--- a/auth/oidc/manageapplication.php
+++ b/auth/oidc/manageapplication.php
@@ -73,37 +73,41 @@
if ($form->is_cancelled()) {
redirect($url);
} else if ($fromform = $form->get_data()) {
- // Save idptype.
- set_config('idptype', $fromform->idptype, 'auth_oidc');
-
- // Save clientid.
- set_config('clientid', $fromform->clientid, 'auth_oidc');
-
- // Save tenantnameorguid.
- set_config('tenantnameorguid', $fromform->tenantnameorguid, 'auth_oidc');
-
- // Save clientauthmethod.
+ // Handle odd cases where clientauthmethod is not received.
if (!isset($fromform->clientauthmethod)) {
$fromform->clientauthmethod = optional_param('clientauthmethod', AUTH_OIDC_AUTH_METHOD_SECRET, PARAM_INT);
}
- set_config('clientauthmethod', $fromform->clientauthmethod, 'auth_oidc');
+
+ // Prepare config settings to save.
+ $configstosave = ['idptype', 'clientid', 'tenantnameorguid', 'clientauthmethod', 'authendpoint', 'tokenendpoint'];
// Depending on the value of clientauthmethod, save clientsecret or (clientprivatekey and clientcert).
switch ($fromform->clientauthmethod) {
case AUTH_OIDC_AUTH_METHOD_SECRET:
- set_config('clientsecret', $fromform->clientsecret, 'auth_oidc');
+ $configstosave[] = 'clientsecret';
break;
case AUTH_OIDC_AUTH_METHOD_CERTIFICATE:
- set_config('clientprivatekey', $fromform->clientprivatekey, 'auth_oidc');
- set_config('clientcert', $fromform->clientcert, 'auth_oidc');
+ $configstosave[] = 'clientprivatekey';
+ $configstosave[] = 'clientcert';
break;
}
- // Save endpoints.
- set_config('authendpoint', $fromform->authendpoint, 'auth_oidc');
- set_config('tokenendpoint', $fromform->tokenendpoint, 'auth_oidc');
+ // Save config settings.
+ foreach ($configstosave as $config) {
+ $existingsetting = get_config('auth_oidc', $config);
+ if ($fromform->$config != $existingsetting) {
+ set_config($config, $fromform->$config, 'auth_oidc');
+ add_to_config_log($config, $existingsetting, $fromform->$config, 'auth_oidc');
+ }
+ }
- redirect($url, get_string('application_updated', 'auth_oidc'));
+ // Redirect message depend on IdP type.
+ if ($fromform->idptype == AUTH_OIDC_IDP_TYPE_OTHER) {
+ redirect($url, get_string('application_updated', 'auth_oidc'));
+ } else {
+ $localo365configurl = new moodle_url('/admin/settings.php', ['section' => 'local_o365']);
+ redirect($url, get_string('application_updated_azure', 'auth_oidc', $localo365configurl->out()));
+ }
}
echo $OUTPUT->header();
diff --git a/local/o365/classes/observers.php b/local/o365/classes/observers.php
index 45b4c3218..ce828bacd 100644
--- a/local/o365/classes/observers.php
+++ b/local/o365/classes/observers.php
@@ -841,20 +841,37 @@ public static function handle_config_log_created(config_log_created $event) : bo
$eventdata = $event->get_data();
- // If Azure app is changed, all tokens need to be deleted.
- if ($eventdata['other']['plugin'] == 'auth_oidc' && $eventdata['other']['name'] == 'clientid') {
- // Clear local_o365_token table.
- $DB->delete_records('local_o365_token');
-
- // Clear auth_oidc_token table.
- $DB->delete_records('auth_oidc_token');
-
- // Delete delta user token, and force a user sync task run.
- unset_config('local_o365', 'task_usersync_lastdeltatoken');
- if ($usersynctask = $DB->get_record('task_scheduled',
- ['component' => 'local_o365', 'classname' => '\local_o365\task\usersync'])) {
- $usersynctask->nextruntime = time();
- $DB->update_record('task_scheduled', $usersynctask);
+ if ($eventdata['other']['plugin'] == 'auth_oidc') {
+ switch ($eventdata['other']['name']) {
+ case 'clientid':
+ // Clear local_o365_token table.
+ $DB->delete_records('local_o365_token');
+
+ // Clear auth_oidc_token table.
+ $DB->delete_records('auth_oidc_token');
+
+ // Clear local_o365_connections table.
+ $DB->delete_records('local_o365_connections');
+
+ // Clear user records in local_o365_objects table.
+ $DB->delete_records('local_o365_objects', ['type' => 'user']);
+
+ // Delete delta user token, and force a user sync task run.
+ unset_config('local_o365', 'task_usersync_lastdeltatoken');
+ if ($usersynctask = $DB->get_record('task_scheduled',
+ ['component' => 'local_o365', 'classname' => '\local_o365\task\usersync'])) {
+ $usersynctask->nextruntime = time();
+ $DB->update_record('task_scheduled', $usersynctask);
+ }
+
+ // No call to "break;" on purpose.
+ case 'idptype':
+ case 'clientauthmethod':
+ // If client ID, IdP type, or authentication method has changed, unset token and verify setup results.
+ // Azure admin needs to set up again.
+ unset_config('apptokens', 'local_o365');
+ unset_config('adminconsent', 'local_o365');
+ unset_config('azuresetupresult', 'local_o365');
}
}