Potential LTI duplicating accounts with parent auth

Bug #1943772 reported by Robert Lyon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Robert Lyon
20.10
Fix Released
High
Unassigned
21.04
Fix Released
High
Unassigned
21.10
Fix Released
High
Unassigned
22.04
Fix Released
High
Robert Lyon

Bug Description

There is a problem in module_lti_launch.php when using SAML as parent auth

If a person does not exist they are created via create_user() function and this function will check if the auth method they are created with needs a remote username and if so adds a row to the "auth_remote_user" table too.

Then module_lti_launch.php creates a row in "auth_remote_user" table for the parent auth (SAML) if the auth method has a parent auth.

So we end up with 2 rows

But the problem is when we have a parent auth (SAML) as the parent we pass in the parent authinstance id to be the one saved in "usr" table.
So we end up with both the rows being connected to the parent auth because we pass in the parent authinstance id when creating the person.

When we then login again via LTI it finds the person by email and updates the "auth_remote_user" table but this time adds the row correctly with the LTI authinstance id.

So we end up with 3 rows - but we should only have two.

what we should do is if the LTI auth instance has a parent auth and that parent auth allows adding to remote table add that one first, via create_user(), then add the one for LTI

Revision history for this message
Robert Lyon (robertl-9) wrote :
description: updated
Changed in mahara:
milestone: none → 21.10.0
assignee: nobody → Robert Lyon (robertl-9)
importance: Undecided → High
status: New → In Progress
Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "main" branch: https://reviews.mahara.org/12128

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12128
Committed: https://git.mahara.org/mahara/mahara/commit/ec27a6d715c0d015c94e3ec3d0bada974886bbb8
Submitter: Robert Lyon (<email address hidden>)
Branch: main

commit ec27a6d715c0d015c94e3ec3d0bada974886bbb8
Author: Robert Lyon <email address hidden>
Date: Wed Sep 15 17:31:33 2021 +1200

Bug 1943772: LTI not setting the auth_remote_user value correctly

On first login when auth method has a parent auth method that also
sets the auth_remote_user table

Change-Id: I22bd1110e34bb3e605b990724ce99cb1a6ccd3cb
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "21.10_DEV" branch: https://reviews.mahara.org/12361

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "21.04_DEV" branch: https://reviews.mahara.org/12362

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "20.10_DEV" branch: https://reviews.mahara.org/12363

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12362
Committed: https://git.mahara.org/mahara/mahara/commit/845a99d509e814b28120c45c3560f80f1001d7ee
Submitter: Robert Lyon (<email address hidden>)
Branch: 21.04_DEV

commit 845a99d509e814b28120c45c3560f80f1001d7ee
Author: Robert Lyon <email address hidden>
Date: Wed Sep 15 17:31:33 2021 +1200

Bug 1943772: LTI not setting the auth_remote_user value correctly

On first login when auth method has a parent auth method that also
sets the auth_remote_user table

Change-Id: I22bd1110e34bb3e605b990724ce99cb1a6ccd3cb
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit ec27a6d715c0d015c94e3ec3d0bada974886bbb8)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/12361
Committed: https://git.mahara.org/mahara/mahara/commit/80adffa9c10aba4d605a8d66890c2836bf01cb7f
Submitter: Robert Lyon (<email address hidden>)
Branch: 21.10_DEV

commit 80adffa9c10aba4d605a8d66890c2836bf01cb7f
Author: Robert Lyon <email address hidden>
Date: Wed Sep 15 17:31:33 2021 +1200

Bug 1943772: LTI not setting the auth_remote_user value correctly

On first login when auth method has a parent auth method that also
sets the auth_remote_user table

Change-Id: I22bd1110e34bb3e605b990724ce99cb1a6ccd3cb
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit ec27a6d715c0d015c94e3ec3d0bada974886bbb8)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/12363
Committed: https://git.mahara.org/mahara/mahara/commit/a3747ab45e4bc91c218e94269fa60ef243e03950
Submitter: Robert Lyon (<email address hidden>)
Branch: 20.10_DEV

commit a3747ab45e4bc91c218e94269fa60ef243e03950
Author: Robert Lyon <email address hidden>
Date: Wed Sep 15 17:31:33 2021 +1200

Bug 1943772: LTI not setting the auth_remote_user value correctly

On first login when auth method has a parent auth method that also
sets the auth_remote_user table

Change-Id: I22bd1110e34bb3e605b990724ce99cb1a6ccd3cb
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit ec27a6d715c0d015c94e3ec3d0bada974886bbb8)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/c/mahara/+/13161
Committed: https://git.mahara.org/mahara/mahara/commit/97447a21ffc7165af0f7075c2e49cca8d51447d9
Submitter: "Robert Lyon <email address hidden>"
Branch: main

commit 97447a21ffc7165af0f7075c2e49cca8d51447d9
Author: Robert Lyon <email address hidden>
Date: Tue Sep 13 08:49:49 2022 +1200

Bug 1989388: Allow 'lis_person_sourcedid' to be recorded as a remoteusername

And record it as remoteusername to the parentauth
This is because moodle can send the moodle ID as remoteauth name not
the username from the remote IdP that ties everything together

Also tidy up LTI_Advantage to be like LTI
- See Bug 1943772, commit ec27a6d715c0d015c94e3ec3d0bada974886bbb8

Change-Id: Icbc3bc4511d9cb3b1fb12103f76f5d67539224e3
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "22.10_DEV" branch: https://reviews.mahara.org/c/mahara/+/13288

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/c/mahara/+/13288
Committed: https://git.mahara.org/mahara/mahara/commit/72f6dc73d1d55f095c11e59fb4b8879e2eb21f47
Submitter: "Robert Lyon <email address hidden>"
Branch: 22.10_DEV

commit 72f6dc73d1d55f095c11e59fb4b8879e2eb21f47
Author: Robert Lyon <email address hidden>
Date: Tue Sep 13 08:49:49 2022 +1200

Bug 1989388: Allow 'lis_person_sourcedid' to be recorded as a remoteusername

And record it as remoteusername to the parentauth
This is because moodle can send the moodle ID as remoteauth name not
the username from the remote IdP that ties everything together

Also tidy up LTI_Advantage to be like LTI
- See Bug 1943772, commit ec27a6d715c0d015c94e3ec3d0bada974886bbb8

Change-Id: Icbc3bc4511d9cb3b1fb12103f76f5d67539224e3
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 97447a21ffc7165af0f7075c2e49cca8d51447d9)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.