OAuth2 Services
Note: This page is a work-in-progress. Feedback and suggested improvements are welcome. Please join the discussion on moodle.org or use the page comments.
OAuth 2 Services
Moodle 3.3
Moodle 3.3 adds support for OAuth 2 services in core which can be used by any plugins to provide authenticated access to external services either as the current user, or using a system account.
OAuth 2 services are used for example, to provide a "Login using Google/Microsoft/Facebook" feature on the login page, and then to share that authenticated session with repositories like Google Drive and Office 365 without having to re-authenticate.
OAuth 2 services can be used by plugins even if they do not use them on the login page, and it's possible to login to multiple services at the same time.
Login
The steps required to enable login using an OAuth 2 service are:
1. Create the OAuth 2 Service using the administration page at "Site administration -> Server -> OAuth 2 Services". There are templates available to create a pre-configured OAuth 2 service for Google, Office 365 and Facebook or you can manually enter all the required details for a custom OAuth 2 service.
2. Register a new application with the OAuth 2 Service provider. Instructions for how to do this with Google, Office 365 and Facebook are listed below.
3. Enter the Client ID and Secret into the configuration page for the OAuth 2 service in Moodle.
4. Enable the OAuth 2 Authentication module.
Open ID Connect
Open ID Connect is a standard for OAuth 2 login services that makes it easier to setup a working login system. If the service you are setting up is Open ID Connect compliant, you will only have to enter the base url for the service, and Moodle will discover all the other information required by requesting the "discovery document" which is expected to exist at <issuer base url>/.well-known/openid-configuration.
How do I get a clientid and secret?
The client ID and secret are created outside of Moodle when setting up the OAuth provider. Instructions for prominent OAuth 2 providers are linked here.
Setup App In Microsoft
To setup an OAuth 2 client with Microsoft, first we need to login to the [Microsoft Application Console] and create a new app.
Note: If you have previously registered Applications with an older API your Application Console may look different. In this case you should create a new "Converged Application".
Choose a good name as this is what is shown to users when they are asked to approve the permissions.
Next you have to add a platform to your application.
Choose "Web platform"
Uncheck the "Allow Implicit Flow" checkbox and set the callback URL. The callback URL should point to "your Moodle site URL + /admin/oauth2callback.php". If your Moodle site was available at https://lemon.edu/ the callback URL would be https://lemon.edu/admin/oauth2callback.php. It is important that your Moodle site uses https and not http. Microsoft will not allow the callback url if it is not using https.
Make sure the "Microsoft Graph Permissions" section contains the "User.Read" permission.
Set the options for the consent screen.
Save all the details and then generate a new password.
Enter the password in Moodle as the "Client secret" and the Application ID as the "Client id".
Setup App in Facebook
To setup an OAuth 2 client with Facebook, first we need to login to the [Facebook for Developers Apps page] and create a new app.
Enter the name for the new App and choose a category (Education?).
Go to the app basic settings and set the app icon, and the URLs to your privacy policy and terms of service.
Add the "Facebook Login" product to the app.
Configure the OAuth settings. Set the callback URL to "your site url + /admin/oauth2callback.php". If your moodle site is available at https://lemon.edu/ then the callback URL should be set to "https://lemon.edu/admin/oauth2callback.php". Enable the Web OAuth Login but for best security disable all other types of login.
Go to App Review and make your App public.
Finally go to the basic settings and get the App ID and App secret and enter them in Moodle as the Client ID and Client Secret.