Skip to content

Commit

Permalink
Merge branch 'wip-89656-m311' into MOODLE_311_STABLE
Browse files Browse the repository at this point in the history 
# Conflicts:
#	auth/oidc/classes/loginflow/base.php
  • Loading branch information
@weilai-irl
weilai-irl committed Feb 27, 2023
2 parents 9775bd4 + 43fb449 commit 5a2ffa9
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 11 deletions.
2 changes: 2 additions & 0 deletions auth/oidc/classes/jwt.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ class jwt {
*
* @param string $encoded Encoded JWT.
* @return array Array of arrays of header and body parameters.
* @throws moodle_exception
*/
public static function decode($encoded) {
if (empty($encoded) || !is_string($encoded)) {
Expand Down Expand Up @@ -103,6 +104,7 @@ public static function decode_jws(string $jwtpayload) {
*
* @param string $encoded The encoded JWT.
* @return jwt A JWT instance.
* @throws moodle_exception
*/
public static function instance_from_encoded($encoded) {
[$header, $body] = static::decode($encoded);
Expand Down
28 changes: 17 additions & 11 deletions auth/oidc/classes/loginflow/base.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
use auth_oidc\jwt;
use auth_oidc\oidcclient;
use core_user;
use moodle_exception;
use stdClass;

defined('MOODLE_INTERNAL') || die();
Expand Down Expand Up @@ -214,7 +215,12 @@ public function get_userinfo($username) {
$tokenames = ['idtoken', 'token'];

foreach ($tokenames as $tokename) {
$token = jwt::instance_from_encoded($tokenrec->$tokename);
try {
$token = jwt::instance_from_encoded($tokenrec->$tokename);
} catch (moodle_exception $e) {
// Error occurred when decoding a token, skip.
continue;
}

if (!isset($userdata['objectId'])) {
$objectid = $token->claim('oid');
Expand Down Expand Up @@ -376,7 +382,7 @@ public function disconnect($justremovetokens = false, $donotremovetokens = false

// We need either the user's previous method or the manual login plugin to be enabled for disconnection.
if (empty($prevauthmethod) && is_enabled_auth('manual') !== true) {
throw new \moodle_exception('errornodisconnectionauthmethod', 'auth_oidc');
throw new moodle_exception('errornodisconnectionauthmethod', 'auth_oidc');
}

// Check to see if the user has a username created by OIDC, or a self-created username.
Expand All @@ -399,18 +405,18 @@ public function disconnect($justremovetokens = false, $donotremovetokens = false
} else if ($fromform = $mform->get_data()) {
if (empty($fromform->newmethod) || ($fromform->newmethod !== $prevauthmethod &&
$fromform->newmethod !== 'manual')) {
throw new \moodle_exception('errorauthdisconnectinvalidmethod', 'auth_oidc');
throw new moodle_exception('errorauthdisconnectinvalidmethod', 'auth_oidc');
}

$updateduser = new stdClass;

if ($fromform->newmethod === 'manual') {
if (empty($fromform->password)) {
throw new \moodle_exception('errorauthdisconnectemptypassword', 'auth_oidc');
throw new moodle_exception('errorauthdisconnectemptypassword', 'auth_oidc');
}
if ($customdata['canchooseusername'] === true) {
if (empty($fromform->username)) {
throw new \moodle_exception('errorauthdisconnectemptyusername', 'auth_oidc');
throw new moodle_exception('errorauthdisconnectemptyusername', 'auth_oidc');
}

if (strtolower($fromform->username) !== $userrec->username) {
Expand All @@ -419,7 +425,7 @@ public function disconnect($justremovetokens = false, $donotremovetokens = false
if ($DB->record_exists('user', $usercheck) === false) {
$updateduser->username = $newusername;
} else {
throw new \moodle_exception('errorauthdisconnectusernameexists', 'auth_oidc');
throw new moodle_exception('errorauthdisconnectusernameexists', 'auth_oidc');
}
}
}
Expand All @@ -441,7 +447,7 @@ public function disconnect($justremovetokens = false, $donotremovetokens = false
try {
user_update_user($updateduser);
} catch (\Exception $e) {
throw new \moodle_exception($e->errorcode, '', $selfurl);
throw new moodle_exception($e->errorcode, '', $selfurl);
}

// Delete token data.
Expand Down Expand Up @@ -492,7 +498,7 @@ protected function get_oidcclient() {
}

if (!auth_oidc_is_setup_complete()) {
throw new \moodle_exception('errorauthnocredsandendpoints', 'auth_oidc');
throw new moodle_exception('errorauthnocredsandendpoints', 'auth_oidc');
}

$clientid = (isset($this->config->clientid)) ? $this->config->clientid : null;
Expand Down Expand Up @@ -523,12 +529,12 @@ protected function process_idtoken($idtoken, $orignonce = '') {
$sub = $idtoken->claim('sub');
if (empty($sub)) {
\auth_oidc\utils::debug('Invalid idtoken', 'base::process_idtoken', $idtoken);
throw new \moodle_exception('errorauthinvalididtoken', 'auth_oidc');
throw new moodle_exception('errorauthinvalididtoken', 'auth_oidc');
}
$receivednonce = $idtoken->claim('nonce');
if (!empty($orignonce) && (empty($receivednonce) || $receivednonce !== $orignonce)) {
\auth_oidc\utils::debug('Invalid nonce', 'base::process_idtoken', $idtoken);
throw new \moodle_exception('errorauthinvalididtoken', 'auth_oidc');
throw new moodle_exception('errorauthinvalididtoken', 'auth_oidc');
}

// Use 'oid' if available (Azure-specific), or fall back to standard "sub" claim.
Expand Down Expand Up @@ -648,7 +654,7 @@ protected function createtoken($oidcuniqid, $username, $authparams, $tokenparams

// We should not fail here (idtoken was verified earlier to at least contain 'sub', but just in case...).
if (empty($oidcusername)) {
throw new \moodle_exception('errorauthinvalididtoken', 'auth_oidc');
throw new moodle_exception('errorauthinvalididtoken', 'auth_oidc');
}

// Cleanup old invalid token with the same oidcusername.
Expand Down

0 comments on commit 5a2ffa9

Please sign in to comment.