Merge branch 'wip-72895-m39' into MOODLE_39_STABLE

* wip-72895-m39: Improve handling of auth_oidc token with unmatched users
microsoft · Mar 23, 2021 · 46672f1 · 46672f1
2 parents 1919942 + 0c58705
commit 46672f1
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 5 deletions.
diff --git a/classes/loginflow/authcode.php b/classes/loginflow/authcode.php
@@ -420,7 +420,10 @@ protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken)
                 // Existing token record, but missing the user ID.
                 $user = $DB->get_record('user', ['username' => $tokenrec->username]);
                 if (empty($user)) {
-                    throw new \moodle_exception('exception_tokenemptyuserid', 'auth_oidc', null, null, 3);
+                    // Token exists, but it doesn't have a valid username.
+                    // In this case, delete the token, and try to process login again.
+                    $DB->delete_records('auth_oidc_token', ['id' => $tokenrec->id]);
+                    return $this->handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken);
                 }
                 $tokenrec->userid = $user->id;
                 $DB->update_record('auth_oidc_token', $tokenrec);
@@ -429,10 +432,12 @@ protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken)
                 $user = $DB->get_record('user', ['id' => $tokenrec->userid]);
                 if (empty($user)) {
                     $failurereason = AUTH_LOGIN_NOUSER;
-                    $eventdata = ['other' => ['username' => $user->username, 'reason' => $failurereason]];
+                    $eventdata = ['other' => ['username' => $tokenrec->username, 'reason' => $failurereason]];
                     $event = \core\event\user_login_failed::create($eventdata);
                     $event->trigger();
-                    throw new \moodle_exception('errorauthloginfailednouser', 'auth_oidc', null, null, '1');
+                    // Token is invalid, delete it.
+                    $DB->delete_records('auth_oidc_token', ['id' => $tokenrec->id]);
+                    return $this->handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken);
                 }
             }
             $username = $user->username;

diff --git a/lang/en/auth_oidc.php b/lang/en/auth_oidc.php
@@ -134,7 +134,6 @@
 $string['eventuserconnected'] = 'User connected to OpenID Connect';
 $string['eventuserloggedin'] = 'User Logged In with OpenID Connect';
 $string['eventuserdisconnected'] = 'User disconnected from OpenID Connect';
-$string['exception_tokenemptyuserid'] = 'The existing token for this user does not contain a valid user ID. Please contact your administrator.';
 
 $string['oidc:manageconnection'] = 'Allow OpenID Connection and Disconnection';
 $string['oidc:manageconnectionconnect'] = 'Allow OpenID Connection';

diff --git a/lang/fr/auth_oidc.php b/lang/fr/auth_oidc.php
@@ -119,7 +119,6 @@
 $string['eventuserconnected'] = 'Utilisateur connecté à OpenID Connect';
 $string['eventuserloggedin'] = 'Utilisateur identifié avec OpenID Connect';
 $string['eventuserdisconnected'] = 'Utilisateur déconnecté d\'OpenID Connect';
-$string['exception_tokenemptyuserid'] = 'Le jeton existant pour cet utilisateur ne contient pas un ID utilisateur valide. Veuillez contacter votre administrateur.';
 
 $string['oidc:manageconnection'] = 'Permettre la connexion et la déconnexion OpenID';
 $string['oidc:manageconnectionconnect'] = 'Permettre la connexion OpenID';