Note: You are currently viewing documentation for Moodle 3.4. Up-to-date documentation for the latest stable version of Moodle is likely available here: OAuth 2 authentication.

OAuth 2 authentication: Difference between revisions

From MoodleDocs
mNo edit summary
 
(14 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{Authentication}}{{New features}}
{{Authentication}}
[[File:oauth 2 auth.png|thumb|Login page with options to log in with an OAuth 2 service]]
==Log in using your account on another site==
 
The OAuth 2 authentication plugin enables users to log in using their Google, Microsoft and/or Facebook account via buttons on the login page.
 
If account creation is enabled, when a user first logs in, a new account will be created. Otherwise, they will be prompted to [[Linked logins|link it to their existing account]] with the same email address.
 
==Enabling OAuth 2 authentication==
 
To use OAuth 2 authentication, an administrator must first create the required OAuth 2 services.
 
# Go to 'OAuth 2 services' in Site administration > Server and click the button to create a new service.
# Follow the instructions in [[OAuth 2 Google service]], [[OAuth 2 Microsoft service]] or [[OAuth 2 Facebook service]] and obtain a client ID and secret.
# Enter the client ID and secret, make sure 'Show on login page' is ticked, then save changes.
 
{{New features}}If desired, un-tick the 'Require email verification' box, then a confirmation email is not sent. This is useful for institutions using Google for their domain; the Google OAuth provider can be considered trusted for that domain.
 
Repeat for additional services as desired. For OAuth 2 authentication, there is no need to connect to a system account.
 
Next:
 
# Go to 'Manage authentication' in Site administration and enable the OAuth 2 authentication plugin.
# Optional: In the OAuth 2 settings, lock selected user data fields and save changes.
 
==Preventing new account creation==
 
If you don't want new accounts to be created when users log in with an OAuth 2 service:
 
# Go to 'Site administration' > 'Plugins' > 'Authentication' >  'Manage authentication' and tick the box 'Prevent account creation when authenticating' (authpreventaccountcreation).
# Click the 'Save changes' button.
 
==Troubleshooting==
 
===On the 'OAuth 2 services' page, there is a red cross for 'Allow login'===
 
To get a green tick for Allow login, edit the OAuth 2 service and make sure that the setting 'Show on login page' is ticked.
 
===I obtain a coding error after enabling OAuth 2 authentication===
 
Have you any OAuth 2 plugins for earlier versions installed on your site? If so, you will need to [[Installing plugins|uninstall them]] in order to use the standard OAuth 2 authentication.
 
===I obtain an error message when attempting to log in using Facebook===
 
The error message 'The user information returned did not contain a username and email address. The OAuth 2 service may be configured incorrectly.' is most likely because the user's Facebook account was created using a mobile number.
 
The solution is for the user to first log in to Facebook and add a username and email address there.
 
=== I see a "required paramenter (code) was missing" error after logging into the OAuth 2 service ===
 
The error message 'A required parameter (code) was missing' can be caused by a mis-configured webserver. OAuth 2 relies on long tokens passed as url parameters, and some webserver configurations will prevent this from working. See http://www.php.net/manual/en/reserved.variables.get.php#101469 for one possible solution.
 
=== I have all green checkmarks on my /admin/tool/oauth2/issuers.php page for Google & Facebook but no buttons show on my servers login page ===
 
It was discovered that in a fresh install of Moodle 3.4 (probably for security reasons) that the plugin configuration for OAuth2 was in a disabled state. Go to your page for Site Administration - Plugins - Authentication - Manage authentication (/admin/settings.php?section=manageauths), and enable the record for OAuth2, then optionally tweak your settings for that record.
 
[[Category:OAuth 2]]
 
[[es:Autenticación OAuth 2]]
[[de:OAuth2 Authentifizierung]]

Latest revision as of 19:20, 22 June 2018

Login page with options to log in with an OAuth 2 service

Log in using your account on another site

The OAuth 2 authentication plugin enables users to log in using their Google, Microsoft and/or Facebook account via buttons on the login page.

If account creation is enabled, when a user first logs in, a new account will be created. Otherwise, they will be prompted to link it to their existing account with the same email address.

Enabling OAuth 2 authentication

To use OAuth 2 authentication, an administrator must first create the required OAuth 2 services.

  1. Go to 'OAuth 2 services' in Site administration > Server and click the button to create a new service.
  2. Follow the instructions in OAuth 2 Google service, OAuth 2 Microsoft service or OAuth 2 Facebook service and obtain a client ID and secret.
  3. Enter the client ID and secret, make sure 'Show on login page' is ticked, then save changes.

New feature
in Moodle 3.4!
If desired, un-tick the 'Require email verification' box, then a confirmation email is not sent. This is useful for institutions using Google for their domain; the Google OAuth provider can be considered trusted for that domain.

Repeat for additional services as desired. For OAuth 2 authentication, there is no need to connect to a system account.

Next:

  1. Go to 'Manage authentication' in Site administration and enable the OAuth 2 authentication plugin.
  2. Optional: In the OAuth 2 settings, lock selected user data fields and save changes.

Preventing new account creation

If you don't want new accounts to be created when users log in with an OAuth 2 service:

  1. Go to 'Site administration' > 'Plugins' > 'Authentication' > 'Manage authentication' and tick the box 'Prevent account creation when authenticating' (authpreventaccountcreation).
  2. Click the 'Save changes' button.

Troubleshooting

On the 'OAuth 2 services' page, there is a red cross for 'Allow login'

To get a green tick for Allow login, edit the OAuth 2 service and make sure that the setting 'Show on login page' is ticked.

I obtain a coding error after enabling OAuth 2 authentication

Have you any OAuth 2 plugins for earlier versions installed on your site? If so, you will need to uninstall them in order to use the standard OAuth 2 authentication.

I obtain an error message when attempting to log in using Facebook

The error message 'The user information returned did not contain a username and email address. The OAuth 2 service may be configured incorrectly.' is most likely because the user's Facebook account was created using a mobile number.

The solution is for the user to first log in to Facebook and add a username and email address there.

I see a "required paramenter (code) was missing" error after logging into the OAuth 2 service

The error message 'A required parameter (code) was missing' can be caused by a mis-configured webserver. OAuth 2 relies on long tokens passed as url parameters, and some webserver configurations will prevent this from working. See http://www.php.net/manual/en/reserved.variables.get.php#101469 for one possible solution.

I have all green checkmarks on my /admin/tool/oauth2/issuers.php page for Google & Facebook but no buttons show on my servers login page

It was discovered that in a fresh install of Moodle 3.4 (probably for security reasons) that the plugin configuration for OAuth2 was in a disabled state. Go to your page for Site Administration - Plugins - Authentication - Manage authentication (/admin/settings.php?section=manageauths), and enable the record for OAuth2, then optionally tweak your settings for that record.