MSFTMPP-115: Provide users a way to connect to Office365 without chan…

…ging their authentication method in Moodle

classes/oidcclient.php

@@ -114,7 +114,7 @@ public function get_endpoint($endpoint) {
      *
      * @return array Array of request parameters.
      */
-    protected function getauthrequestparams($promptlogin = false) {
+    protected function getauthrequestparams($promptlogin = false, array $stateparams = array()) {
         $nonce = 'N'.uniqid();
         $params = [
             'response_type' => 'code',
@@ -123,7 +123,7 @@ protected function getauthrequestparams($promptlogin = false) {
             'nonce' => $nonce,
             'response_mode' => 'form_post',
             'resource' => 'https://graph.windows.net',
-            'state' => $this->getnewstate($nonce),
+            'state' => $this->getnewstate($nonce, $stateparams),
         ];
         if ($promptlogin === true) {
             $params['prompt'] = 'login';
@@ -134,23 +134,25 @@ protected function getauthrequestparams($promptlogin = false) {
     /**
      * Generate a new state parameter.
      *
+     * @param string $nonce The generated nonce value.
      * @return string The new state value.
      */
-    protected function getnewstate($nonce) {
+    protected function getnewstate($nonce, array $stateparams = array()) {
         global $DB;
         $staterec = new \stdClass;
         $staterec->sesskey = sesskey();
         $staterec->state = random_string(15);
         $staterec->nonce = $nonce;
         $staterec->timecreated = time();
+        $staterec->additionaldata = serialize($stateparams);
         $DB->insert_record('auth_oidc_state', $staterec);
         return $staterec->state;
     }
 
     /**
      * Perform an authorization request by redirecting resource owner's user agent to auth endpoint.
      */
-    public function authrequest($promptlogin = false) {
+    public function authrequest($promptlogin = false, array $stateparams = array()) {
         global $DB;
         if (empty($this->clientid)) {
             throw new \moodle_exception('erroroidcclientnocreds', 'auth_oidc');
@@ -160,7 +162,7 @@ public function authrequest($promptlogin = false) {
             throw new \moodle_exception('erroroidcclientnoauthendpoint', 'auth_oidc');
         }
 
-        $params = $this->getauthrequestparams($promptlogin);
+        $params = $this->getauthrequestparams($promptlogin, $stateparams);
         $redirecturl = new \moodle_url($this->endpoints['auth'], $params);
         redirect($redirecturl);
     }

db/install.xml

@@ -11,6 +11,7 @@
         <FIELD NAME="state" TYPE="char" LENGTH="15" NOTNULL="true" SEQUENCE="false" COMMENT="random state"/>
         <FIELD NAME="nonce" TYPE="char" LENGTH="15" NOTNULL="true" SEQUENCE="false" COMMENT="nonce"/>
         <FIELD NAME="timecreated" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false" COMMENT="time login initiated"/>
+        <FIELD NAME="additionaldata" TYPE="text" NOTNULL="true" SEQUENCE="false" COMMENT="additional stored parameters"/>
       </FIELDS>
       <KEYS>
         <KEY NAME="primary" TYPE="primary" FIELDS="id"/>

db/upgrade.php

@@ -42,5 +42,14 @@ function xmldb_auth_oidc_upgrade($oldversion) {
         upgrade_plugin_savepoint($result, '2014111703', 'auth', 'oidc');
     }
 
+    if ($result && $oldversion < 2015012702) {
+        $table = new xmldb_table('auth_oidc_state');
+        $field = new xmldb_field('additionaldata', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null, 'timecreated');
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+        }
+        upgrade_plugin_savepoint($result, '2015012702', 'auth', 'oidc');
+    }
+
     return $result;
 }

lang/en/auth_oidc.php

@@ -95,13 +95,13 @@
 $string['oidc:manageconnection'] = 'Manage OpenID Connect Connection';
 
 $string['ucp_general_intro'] = 'Here you can manage your connection to {$a}. If enabled, you will be able to use your {$a} account to log in to Moodle instead of a separate username and password. Once connected, you\'ll no longer have to remember a username and password for Moodle, all log-ins will be handled by {$a}.';
-$string['ucp_status'] = '{$a} is:';
+$string['ucp_login_start'] = 'Start using {$a} login';
+$string['ucp_login_start_desc'] = 'This will switch your account to use {$a} to log in to Moodle. Once enabled, you will log in using your {$a} credentials - your current Moodle username and password will not work. You can disconnect your account at any time and return to logging in normally.';
+$string['ucp_login_stop'] = 'Stop using {$a} login';
+$string['ucp_login_stop_desc'] = 'You are currently using {$a} to log in to Moodle. Clicking "Stop using {$a} login" will disconnect your Moodle account from {$a}. You will no longer be able to log in to Moodle with your {$a} account. You\'ll be asked to create a username and password, and from then on you will then be able to log in to Moodle directly.';
+$string['ucp_login_status'] = '{$a} login is:';
 $string['ucp_status_enabled'] = 'Enabled';
 $string['ucp_status_disabled'] = 'Disabled';
-$string['ucp_connected_disconnect'] = 'Stop using {$a}';
-$string['ucp_connected_disconnect_details'] = 'Clicking the link above will disconnect your Moodle account from {$a}. You will no longer be able to log in to Moodle with your {$a} account. You\'ll be asked to create a username and password, and from then on you will then be able to log in to Moodle directly.';
 $string['ucp_disconnect_title'] = '{$a} Disconnection';
 $string['ucp_disconnect_details'] = 'This will disconnect your Moodle account from {$a}. You\'ll need to create a username and password to log in to Moodle.';
-$string['ucp_notconnected_start'] = 'Start using {$a}';
-$string['ucp_notconnected_start_details'] = '<b>Note that once connected you must use {$a} to log in</b> - your current username and password will not work. However, you can disconnect your account at any time and return to logging in normally.';
 $string['ucp_title'] = '{$a} Management';

sass/styles.scss

@@ -0,0 +1,13 @@
+.auth_oidc_ucp_indicator {
+	h4 {
+		display: inline-block;
+		margin-right: 0.5rem;
+	}
+	h5 {
+		display: inline-block;
+		margin-left: 0.5rem;
+		+ span {
+			display: block;
+		}
+	}
+}

styles.css

@@ -0,0 +1,8 @@
+.auth_oidc_ucp_indicator h4 {
+  display: inline-block;
+  margin-right: 0.5rem; }
+.auth_oidc_ucp_indicator h5 {
+  display: inline-block;
+  margin-left: 0.5rem; }
+  .auth_oidc_ucp_indicator h5 + span {
+    display: block; }

ucp.php

@@ -29,15 +29,18 @@
 require_capability('auth/oidc:manageconnection', \context_user::instance($USER->id), $USER->id);
 
 $action = optional_param('action', null, PARAM_TEXT);
+
 $oidctoken = $DB->get_record('auth_oidc_token', ['username' => $USER->username]);
 $oidcconnected = (!empty($oidctoken)) ? true : false;
 
+$oidcloginconnected = ($USER->auth === 'oidc') ? true : false;
+
 if (!empty($action)) {
-    if ($action === 'connect' && $oidcconnected === false) {
+    if ($action === 'connectlogin' && $oidcloginconnected === false) {
         $auth = new \auth_plugin_oidc;
         $auth->set_httpclient(new \auth_oidc\httpclient());
         $auth->initiateauthrequest();
-    } else if ($action === 'disconnect' && $oidcconnected === true) {
+    } else if ($action === 'disconnectlogin' && $oidcloginconnected === true) {
         if (is_enabled_auth('manual') === true) {
             $auth = new \auth_plugin_oidc;
             $auth->set_httpclient(new \auth_oidc\httpclient());
@@ -64,36 +67,26 @@
     echo get_string('ucp_general_intro', 'auth_oidc', $opname);
     echo '<br /><br />';
 
-    echo \html_writer::start_div();
-    $style = ['style' => 'display: inline-block; margin-right: 0.5rem;'];
-    echo \html_writer::tag('h4', get_string('ucp_status', 'auth_oidc', $opname), $style);
-    if ($oidcconnected === true) {
-        $style = ['class' => 'notifysuccess', 'style' => 'display: inline-block'];
-        echo \html_writer::tag('h4', get_string('ucp_status_enabled', 'auth_oidc'), $style);
-    } else {
-        $style = ['class' => 'notifyproblem', 'style' => 'display: inline-block'];
-        echo \html_writer::tag('h4', get_string('ucp_status_disabled', 'auth_oidc'), $style);
-    }
-    echo \html_writer::end_div();
-    echo '<br />';
-
-    if ($oidcconnected === true) {
+    // Login status.
+    echo \html_writer::start_div('auth_oidc_ucp_indicator');
+    echo \html_writer::tag('h4', get_string('ucp_login_status', 'auth_oidc', $opname));
+    if ($oidcloginconnected === true) {
+        echo \html_writer::tag('h4', get_string('ucp_status_enabled', 'auth_oidc'), ['class' => 'notifysuccess']);
         if (is_enabled_auth('manual') === true) {
-            echo \html_writer::start_div();
-            $connectlinkuri = new \moodle_url('/auth/oidc/ucp.php', ['action' => 'disconnect']);
-            $strdisconnect = get_string('ucp_connected_disconnect', 'auth_oidc', $opname);
+            $connectlinkuri = new \moodle_url('/auth/oidc/ucp.php', ['action' => 'disconnectlogin']);
+            $strdisconnect = get_string('ucp_login_stop', 'auth_oidc', $opname);
             $linkhtml = \html_writer::link($connectlinkuri, $strdisconnect);
             echo \html_writer::tag('h5', $linkhtml);
-            echo \html_writer::span(get_string('ucp_connected_disconnect_details', 'auth_oidc', $opname));
-            echo \html_writer::end_div();
+            echo \html_writer::span(get_string('ucp_login_stop_desc', 'auth_oidc', $opname));
         }
     } else {
-        echo \html_writer::start_div();
-        $connectlinkuri = new \moodle_url('/auth/oidc/ucp.php', ['action' => 'connect']);
-        $linkhtml = \html_writer::link($connectlinkuri, get_string('ucp_notconnected_start', 'auth_oidc', $opname));
+        echo \html_writer::tag('h4', get_string('ucp_status_disabled', 'auth_oidc'), ['class' => 'notifyproblem']);
+        $connectlinkuri = new \moodle_url('/auth/oidc/ucp.php', ['action' => 'connectlogin']);
+        $linkhtml = \html_writer::link($connectlinkuri, get_string('ucp_login_start', 'auth_oidc', $opname));
         echo \html_writer::tag('h5', $linkhtml);
-        echo \html_writer::span(get_string('ucp_notconnected_start_details', 'auth_oidc', $opname));
-        echo \html_writer::end_div();
+        echo \html_writer::span(get_string('ucp_login_start_desc', 'auth_oidc', $opname));
     }
+    echo \html_writer::end_div();
+
     echo $OUTPUT->footer();
 }

version.php

@@ -23,7 +23,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version = 2015012701;
+$plugin->version = 2015012702;
 $plugin->requires = 2014111000;
 $plugin->component = 'auth_oidc';
 $plugin->maturity = MATURITY_STABLE;