Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

OAuth2 Services: Difference between revisions

From MoodleDocs
No edit summary
m (Note about intent to not migrate this page to moodledev.io)
 
(14 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{Template:WillNotMigrate}}
{{Template:Work in progress}}
{{Template:Work in progress}}
= OAuth 2 Services =
= OAuth 2 Services =
Line 16: Line 17:
1. Create the OAuth 2 Service using the administration page at "Site administration -> Server -> OAuth 2 Services". There are templates available to create a pre-configured OAuth 2 service for Google, Office 365 and Facebook or you can manually enter all the required details for a custom OAuth 2 service.
1. Create the OAuth 2 Service using the administration page at "Site administration -> Server -> OAuth 2 Services". There are templates available to create a pre-configured OAuth 2 service for Google, Office 365 and Facebook or you can manually enter all the required details for a custom OAuth 2 service.


2. Register a new application with the OAuth 2 Service provider. Instructions for how to do this with Google / Office 365 and Facebook are listed below.
2. Register a new application with the OAuth 2 Service provider. Instructions for how to do this with Google, Office 365 and Facebook are listed below.


3. Enter the Client ID and Secret into the configuration page for the OAuth 2 service in Moodle.
3. Enter the Client ID and Secret into the configuration page for the OAuth 2 service in Moodle.
Line 26: Line 27:
Open ID Connect is a standard for OAuth 2 login services that makes it easier to setup a working login system. If the service you are setting up is Open ID Connect compliant, you will only have to enter the base url for the service, and Moodle will discover all the other information required by requesting the "discovery document" which is expected to exist at <issuer base url>/.well-known/openid-configuration.  
Open ID Connect is a standard for OAuth 2 login services that makes it easier to setup a working login system. If the service you are setting up is Open ID Connect compliant, you will only have to enter the base url for the service, and Moodle will discover all the other information required by requesting the "discovery document" which is expected to exist at <issuer base url>/.well-known/openid-configuration.  


=== Setup Project In Google ===
=== How do I get a clientid and secret? ===


To setup an OAuth 2 client with Google, first we need to login to the [[https://console.developers.google.com/ Google Developers Console]] and create a new project.
The client ID and secret are created outside of Moodle when setting up the OAuth provider. Instructions for prominent OAuth 2 providers are linked here.


Create a new project using the menu at the top of the page.
* [[OAuth2_Services_Setup_Project_In_Google|Setup Project In Google]]
 
* [[OAuth2_Services_Setup_Project_In_Microsoft|Setup Project In Microsoft]]
[[File:google-1-create-new.png|none|frame|Create new project]]
* [[OAuth2_Services_Setup_Project_In_Facebook|Setup Project In Facebook]]
 
* [[OAuth2_Services_Setup_Project_In_LinkedIn|Setup Project In LinkedIn]]
Call the new project whatever you like, this name is not shown to users when they are asked to authorise this application.
 
[[File:google-2-create-new-modal.png|none|frame|Name the project]]
 
Select "credentials" from the menu on the left.
 
[[File:google-3-credentials.png|none|frame|Switch to credentials page]]
 
Setup the consent screen for your application. This is where you provide the public information that is shown to users when they are asked to authorise your application. Setting a product name is the minimum information that is required, but the more information you provide here - the more confidence users will have when granting this authorisation.
 
[[File:google-4-consent.png|none|frame|Setup consent screen]]
 
Now you can create some client credentials. Switch to the credentials tab and create a new OAuth client ID.
 
[[File:google-5-oauth-credentials.png|none|frame|Create an OAuth Client ID]]
 
Setup the credentials for a Web Application. The most important setting here is to set the callback URL. This must be set to "your moodle site url + /admin/oauth2callback.php". If your moodle site was accessible at https://lemon.edu/ then this callback URL should be set to https://lemon.edu/admin/oauth2callback.php
 
[[File:google-6-web-application-credentials.png|none|frame|Set the callback URL]]
 
When you have saved the information on this page, Google will give you the client ID and client secret that you need to enter into Moodle.
 
[[File:google-7-oauth-details.png|none|frame|Got my secrets!]]
 
=== Setup Project In Microsoft ===
 
To setup  an OAuth 2 client with Microsoft, first we need to login to the [[https://apps.dev.microsoft.com/#/appList Microsoft Application Console]] and create a new app.
 
[[Image:microsoft-1-create-new.png|none|frame|Create new project]]
 
Choose a good name as this is what is shown to users when they are asked to approve the permissions.
 
[[File:microsoft-2-name-it.png|none|frame|Name it]]
 
Next you have to add a platform to your application.
 
[[File:microsoft-3-add-platform.png|none|frame|Add platform]]
 
Choose "Web platform"
 
[[File:microsoft-3.1-web-platform.png|none|frame|Web platform]]
 
Uncheck the "Allow Implicit Flow" checkbox and set the callback URL. The callback URL should point to "your Moodle site URL + /admin/oauth2callback.php". If your Moodle site was available at https://lemon.edu/ the callback URL would be https://lemon.edu/admin/oauth2callback.php. It is important that your Moodle site uses https and not http. Microsoft will not allow the callback url if it is not using https.
 
[[File:microsoft-4-platform-settings.png|none|frame|Platform settings]]
 
Make sure the "Microsoft Graph Permissions" section contains the "User.Read" permission.
 
[[File:microsoft-5-permissions.png|none|frame|Permissions]]
 
Set the options for the consent screen.
 
[[File:microsoft-6-consent.png|none|frame|Consent]]
 
Save all the details and then generate a new password.
 
[[File:microsoft-7-new-password.png|none|frame|Generate a new password]]
 
Enter the password in Moodle as the "Client secret" and the Application ID as the "Client id".
 
[[File:microsoft-8-got-it.png|none|frame|Got it]]

Latest revision as of 16:05, 30 April 2024


Warning: This page is no longer in use. The information contained on the page should NOT be seen as relevant or reliable.


Note: This page is a work-in-progress. Feedback and suggested improvements are welcome. Please join the discussion on moodle.org or use the page comments.

OAuth 2 Services

Moodle 3.3


Moodle 3.3 adds support for OAuth 2 services in core which can be used by any plugins to provide authenticated access to external services either as the current user, or using a system account.

OAuth 2 services are used for example, to provide a "Login using Google/Microsoft/Facebook" feature on the login page, and then to share that authenticated session with repositories like Google Drive and Office 365 without having to re-authenticate.

OAuth 2 services can be used by plugins even if they do not use them on the login page, and it's possible to login to multiple services at the same time.


Login

The steps required to enable login using an OAuth 2 service are:

1. Create the OAuth 2 Service using the administration page at "Site administration -> Server -> OAuth 2 Services". There are templates available to create a pre-configured OAuth 2 service for Google, Office 365 and Facebook or you can manually enter all the required details for a custom OAuth 2 service.

2. Register a new application with the OAuth 2 Service provider. Instructions for how to do this with Google, Office 365 and Facebook are listed below.

3. Enter the Client ID and Secret into the configuration page for the OAuth 2 service in Moodle.

4. Enable the OAuth 2 Authentication module.

Open ID Connect

Open ID Connect is a standard for OAuth 2 login services that makes it easier to setup a working login system. If the service you are setting up is Open ID Connect compliant, you will only have to enter the base url for the service, and Moodle will discover all the other information required by requesting the "discovery document" which is expected to exist at <issuer base url>/.well-known/openid-configuration.

How do I get a clientid and secret?

The client ID and secret are created outside of Moodle when setting up the OAuth provider. Instructions for prominent OAuth 2 providers are linked here.