Skip to content

Commit

Permalink
MSFTMPP-765: Improve resiliency of auth_oidc_token userid linking
Browse files Browse the repository at this point in the history
  • Loading branch information
@jamesmcq
jamesmcq committed Jul 29, 2019
1 parent 199a24c commit 9778577
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 10 deletions.
27 changes: 19 additions & 8 deletions classes/loginflow/authcode.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -416,15 +416,18 @@ protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken)
$tokenrec = $DB->get_record('auth_oidc_token', ['oidcuniqid' => $oidcuniqid]);
if (!empty($tokenrec)) {
// Already connected user.

if (empty($tokenrec->userid)) {
// ERROR.
echo 'ERROR1';die();
// ERROR1
throw new \moodle_exception('exception_tokenemptyuserid', 'auth_oidc');
}
$user = $DB->get_record('user', ['id' => $tokenrec->userid]);
if (empty($user)) {
// ERROR.
echo 'ERROR2';die();
// ERROR2
$failurereason = AUTH_LOGIN_NOUSER;
$eventdata = ['other' => ['username' => $username, 'reason' => $failurereason]];
$event = \core\event\user_login_failed::create($eventdata);
$event->trigger();
throw new \moodle_exception('errorauthloginfailednouser', 'auth_oidc', null, null, '1');
}
$username = $user->username;
$this->updatetoken($tokenrec->id, $authparams, $tokenparams);
Expand Down Expand Up @@ -473,14 +476,22 @@ protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken)
$user = authenticate_user_login($username, null, true);

if (!empty($user)) {
$tokenrec = $DB->get_record('auth_oidc_token', ['id' => $tokenrec->id]);
// This should be already done in auth_plugin_oidc::user_authenticated_hook, but just in case...
if (!empty($tokenrec) && empty($tokenrec->userid)) {
$updatedtokenrec = new \stdClass;
$updatedtokenrec->id = $tokenrec->id;
$updatedtokenrec->userid = $user->id;
$DB->update_record('auth_oidc_token', $updatedtokenrec);
}
complete_user_login($user);
return true;
} else {
// There was a problem in authenticate_user_login. Clean up incomplete token record.
if (!empty($tokenrec)) {
throw new \moodle_exception('errorlogintoconnectedaccount', 'auth_oidc', null, null, '2');
} else {
throw new \moodle_exception('errorauthloginfailednouser', 'auth_oidc', null, null, '2');
$DB->delete_records('auth_oidc_token', ['id' => $tokenrec->id]);
}
throw new \moodle_exception('errorauthgeneral', 'auth_oidc', null, null, '2');
}

return true;
Expand Down
4 changes: 2 additions & 2 deletions classes/observers.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,8 @@ class observers {
*/
public static function handle_user_deleted(\core\event\user_deleted $event) {
global $DB;
$eventdata = $event->get_data();
$DB->delete_records('auth_oidc_token', ['username' => $eventdata['other']['username']]);
$userid = $event->objectid;
$DB->delete_records('auth_oidc_token', ['userid' => $userid]);
return true;
}
}
1 change: 1 addition & 0 deletions lang/en/auth_oidc.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@
$string['eventuserconnected'] = 'User connected to OpenID Connect';
$string['eventuserloggedin'] = 'User Logged In with OpenID Connect';
$string['eventuserdisconnected'] = 'User disconnected from OpenID Connect';
$string['exception_tokenemptyuserid'] = 'The existing token for this user does not contain a valid user ID. Please contact your administrator.';

$string['oidc:manageconnection'] = 'Allow OpenID Connection and Disconnection';
$string['oidc:manageconnectionconnect'] = 'Allow OpenID Connection';
Expand Down

0 comments on commit 9778577

Please sign in to comment.