MSFTMPP-697: Update code getting OIDC tokens via username to use userid

microsoft · Oct 28, 2018 · 7fb5c8c · 7fb5c8c
1 parent 0f8bcee
commit 7fb5c8c
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 8 deletions.
diff --git a/auth.php b/auth.php
@@ -178,7 +178,16 @@ public function user_authenticated_hook(&$user, $username, $password) {
         global $DB;
         if (!empty($user) && !empty($user->auth) && $user->auth === 'oidc') {
             $tokenrec = $DB->get_record('auth_oidc_token', ['userid' => $user->id]);
-            if (empty($tokenrec)) {
+            if (!empty($tokenrec)) {
+                // If the token record username is out of sync (ie username changes), update it.
+                if ($tokenrec->username != $user->username) {
+                    $updatedtokenrec = new \stdClass;
+                    $updatedtokenrec->id = $tokenrec->id;
+                    $updatedtokenrec->username = $user->username;
+                    $DB->update_record('auth_oidc_token', $updatedtokenrec);
+                    $tokenrec = $updatedtokenrec;
+                }
+            } else {
                 // There should always be a token record here, so a failure here means
                 // the user's token record doesn't yet contain their userid.
                 $tokenrec = $DB->get_record('auth_oidc_token', ['username' => $username]);

diff --git a/classes/loginflow/authcode.php b/classes/loginflow/authcode.php
@@ -301,7 +301,7 @@ protected function handlemigration($oidcuniqid, $authparams, $tokenparams, $idto
         }
 
         // Check if Moodle user is already connected to an OIDC user.
-        $tokenrec = $DB->get_record('auth_oidc_token', ['username' => $USER->username]);
+        $tokenrec = $DB->get_record('auth_oidc_token', ['userid' => $USER->id]);
         if (!empty($tokenrec)) {
             if ($tokenrec->oidcuniqid === $oidcuniqid) {
                 // Already connected to current user.

diff --git a/classes/loginflow/base.php b/classes/loginflow/base.php
@@ -177,7 +177,7 @@ public function disconnect($justremovetokens = false, $donotremovetokens = false
 
         if ($justremovetokens === true) {
             // Delete token data.
-            $DB->delete_records('auth_oidc_token', ['username' => $userrec->username]);
+            $DB->delete_records('auth_oidc_token', ['userid' => $userrec->id]);
             $eventdata = ['objectid' => $userrec->id, 'userid' => $userrec->id];
             $event = \auth_oidc\event\user_disconnected::create($eventdata);
             $event->trigger();
@@ -210,7 +210,7 @@ public function disconnect($justremovetokens = false, $donotremovetokens = false
             // Check to see if the user has a username created by OIDC, or a self-created username.
             // OIDC-created usernames are usually very verbose, so we'll allow them to choose a sensible one.
             // Otherwise, keep their existing username.
-            $oidctoken = $DB->get_record('auth_oidc_token', ['username' => $userrec->username]);
+            $oidctoken = $DB->get_record('auth_oidc_token', ['userid' => $userrec->id]);
             $ccun = (isset($oidctoken->oidcuniqid) && strtolower($oidctoken->oidcuniqid) === $userrec->username) ? true : false;
             $customdata = [
                 'canchooseusername' => $ccun,
@@ -276,7 +276,7 @@ public function disconnect($justremovetokens = false, $donotremovetokens = false
 
                 // Delete token data.
                 if (empty($fromform->donotremovetokens)) {
-                    $DB->delete_records('auth_oidc_token', ['username' => $origusername]);
+                    $DB->delete_records('auth_oidc_token', ['userid' => $userrec->id]);
 
                     $eventdata = ['objectid' => $userrec->id, 'userid' => $userrec->id];
                     $event = \auth_oidc\event\user_disconnected::create($eventdata);

diff --git a/classes/privacy/provider.php b/classes/privacy/provider.php
@@ -49,6 +49,7 @@ public static function get_metadata(collection $collection): collection {
             'auth_oidc_token' => [
                 'oidcuniqid',
                 'username',
+                'userid',
                 'oidcusername',
                 'scope',
                 'resource',
@@ -137,7 +138,7 @@ public static function delete_data_for_user(approved_contextlist $contextlist) {
     protected static function get_table_user_map(\stdClass $user): array {
         $tables = [
             'auth_oidc_prevlogin' => ['userid' => $user->id],
-            'auth_oidc_token' => ['username' => $user->username],
+            'auth_oidc_token' => ['userid' => $user->id],
         ];
         return $tables;
     }

diff --git a/lang/en/auth_oidc.php b/lang/en/auth_oidc.php
@@ -132,6 +132,7 @@
 $string['privacy:metadata:auth_oidc_token'] = 'Information about OpenID Connect tokens for users';
 $string['privacy:metadata:auth_oidc_token:oidcuniqid'] = 'The OIDC unique user identifier.';
 $string['privacy:metadata:auth_oidc_token:username'] = 'The username of the Moodle user';
+$string['privacy:metadata:auth_oidc_token:userid'] = 'The user ID of the Moodle user';
 $string['privacy:metadata:auth_oidc_token:oidcusername'] = 'The username of the OIDC user';
 $string['privacy:metadata:auth_oidc_token:scope'] = 'The scope of the token';
 $string['privacy:metadata:auth_oidc_token:resource'] = 'The resource of the token';

diff --git a/ucp.php b/ucp.php
@@ -29,7 +29,7 @@
 
 $action = optional_param('action', null, PARAM_TEXT);
 
-$oidctoken = $DB->get_record('auth_oidc_token', ['username' => $USER->username]);
+$oidctoken = $DB->get_record('auth_oidc_token', ['userid' => $USER->id]);
 $oidcconnected = (!empty($oidctoken)) ? true : false;
 
 $oidcloginconnected = ($USER->auth === 'oidc') ? true : false;
@@ -104,4 +104,4 @@
     echo \html_writer::end_div();
 
     echo $OUTPUT->footer();
-}
+}