From 0c5870598de8acb97d324747a6f3a84fbd14acb9 Mon Sep 17 00:00:00 2001
From: Lai Wei <lai.wei@enovation.ie>
Date: Tue, 9 Mar 2021 14:30:18 +0000
Subject: [PATCH] Improve handling of auth_oidc token with unmatched users

---
 classes/loginflow/authcode.php | 11 ++++++++---
 lang/en/auth_oidc.php          |  1 -
 lang/fr/auth_oidc.php          |  1 -
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/classes/loginflow/authcode.php b/classes/loginflow/authcode.php
index 4fc15d7..b9251db 100644
--- a/classes/loginflow/authcode.php
+++ b/classes/loginflow/authcode.php
@@ -420,7 +420,10 @@ protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken)
                 // Existing token record, but missing the user ID.
                 $user = $DB->get_record('user', ['username' => $tokenrec->username]);
                 if (empty($user)) {
-                    throw new \moodle_exception('exception_tokenemptyuserid', 'auth_oidc', null, null, 3);
+                    // Token exists, but it doesn't have a valid username.
+                    // In this case, delete the token, and try to process login again.
+                    $DB->delete_records('auth_oidc_token', ['id' => $tokenrec->id]);
+                    return $this->handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken);
                 }
                 $tokenrec->userid = $user->id;
                 $DB->update_record('auth_oidc_token', $tokenrec);
@@ -429,10 +432,12 @@ protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken)
                 $user = $DB->get_record('user', ['id' => $tokenrec->userid]);
                 if (empty($user)) {
                     $failurereason = AUTH_LOGIN_NOUSER;
-                    $eventdata = ['other' => ['username' => $user->username, 'reason' => $failurereason]];
+                    $eventdata = ['other' => ['username' => $tokenrec->username, 'reason' => $failurereason]];
                     $event = \core\event\user_login_failed::create($eventdata);
                     $event->trigger();
-                    throw new \moodle_exception('errorauthloginfailednouser', 'auth_oidc', null, null, '1');
+                    // Token is invalid, delete it.
+                    $DB->delete_records('auth_oidc_token', ['id' => $tokenrec->id]);
+                    return $this->handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken);
                 }
             }
             $username = $user->username;
diff --git a/lang/en/auth_oidc.php b/lang/en/auth_oidc.php
index 56b3f48..a42ffc7 100644
--- a/lang/en/auth_oidc.php
+++ b/lang/en/auth_oidc.php
@@ -132,7 +132,6 @@
 $string['eventuserconnected'] = 'User connected to OpenID Connect';
 $string['eventuserloggedin'] = 'User Logged In with OpenID Connect';
 $string['eventuserdisconnected'] = 'User disconnected from OpenID Connect';
-$string['exception_tokenemptyuserid'] = 'The existing token for this user does not contain a valid user ID. Please contact your administrator.';
 
 $string['oidc:manageconnection'] = 'Allow OpenID Connection and Disconnection';
 $string['oidc:manageconnectionconnect'] = 'Allow OpenID Connection';
diff --git a/lang/fr/auth_oidc.php b/lang/fr/auth_oidc.php
index 5c4055f..0c7b01b 100644
--- a/lang/fr/auth_oidc.php
+++ b/lang/fr/auth_oidc.php
@@ -119,7 +119,6 @@
 $string['eventuserconnected'] = 'Utilisateur connecté à OpenID Connect';
 $string['eventuserloggedin'] = 'Utilisateur identifié avec OpenID Connect';
 $string['eventuserdisconnected'] = 'Utilisateur déconnecté d\'OpenID Connect';
-$string['exception_tokenemptyuserid'] = 'Le jeton existant pour cet utilisateur ne contient pas un ID utilisateur valide. Veuillez contacter votre administrateur.';
 
 $string['oidc:manageconnection'] = 'Permettre la connexion et la déconnexion OpenID';
 $string['oidc:manageconnectionconnect'] = 'Permettre la connexion OpenID';