Skip to content

Commit

Permalink
Rename Azure AD to Microsoft Entra ID
Browse files Browse the repository at this point in the history
  • Loading branch information
@weilai-irl
weilai-irl committed Dec 22, 2023
1 parent e0eec2d commit 9f84a45
Show file tree
Hide file tree
Showing 67 changed files with 886 additions and 854 deletions.
2 changes: 1 addition & 1 deletion auth/oidc/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Microsoft 365 and Azure Active Directory Plugins for Moodle
# Microsoft 365 and Microsoft Entra ID Plugins for Moodle

## OpenID Connect Authentication Plugin.

Expand Down
14 changes: 7 additions & 7 deletions auth/oidc/classes/form/application.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,8 @@ protected function definition() {

// IdP type.
$idptypeoptions = [
AUTH_OIDC_IDP_TYPE_AZURE_AD => get_string('idp_type_azuread', 'auth_oidc'),
AUTH_OIDC_IDP_TYPE_MICROSOFT => get_string('idp_type_microsoft', 'auth_oidc'),
AUTH_OIDC_IDP_TYPE_MICROSOFT_ENTRA_ID => get_string('idp_type_microsoft_entra_id', 'auth_oidc'),
AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM => get_string('idp_type_microsoft_identity_platform', 'auth_oidc'),
AUTH_OIDC_IDP_TYPE_OTHER => get_string('idp_type_other', 'auth_oidc'),
];
$mform->addElement('select', 'idptype', auth_oidc_config_name_in_form('idptype'), $idptypeoptions);
Expand All @@ -72,7 +72,7 @@ protected function definition() {
AUTH_OIDC_AUTH_METHOD_SECRET => get_string('auth_method_secret', 'auth_oidc'),
];
if (isset($this->_customdata['oidcconfig']->idptype) &&
$this->_customdata['oidcconfig']->idptype == AUTH_OIDC_IDP_TYPE_MICROSOFT) {
$this->_customdata['oidcconfig']->idptype == AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
$authmethodoptions[AUTH_OIDC_AUTH_METHOD_CERTIFICATE] = get_string('auth_method_certificate', 'auth_oidc');
}
$mform->addElement('select', 'clientauthmethod', auth_oidc_config_name_in_form('clientauthmethod'), $authmethodoptions);
Expand Down Expand Up @@ -153,13 +153,13 @@ function validation($data, $files) {

// Validate "clientauthmethod" according to "idptype".
switch ($data['idptype']) {
case AUTH_OIDC_IDP_TYPE_AZURE_AD:
case AUTH_OIDC_IDP_TYPE_MICROSOFT_ENTRA_ID:
case AUTH_OIDC_IDP_TYPE_OTHER:
if ($data['clientauthmethod'] != AUTH_OIDC_AUTH_METHOD_SECRET) {
$errors['clientauthmethod'] = get_string('error_invalid_client_authentication_method', 'auth_oidc');
}
break;
case AUTH_OIDC_IDP_TYPE_MICROSOFT:
case AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM:
if (!in_array($data['clientauthmethod'], [AUTH_OIDC_AUTH_METHOD_SECRET, AUTH_OIDC_AUTH_METHOD_CERTIFICATE])) {
$errors['clientauthmethod'] = get_string('error_invalid_client_authentication_method', 'auth_oidc');
}
Expand All @@ -184,7 +184,7 @@ function validation($data, $files) {
}

// Validate endpoints.
if (in_array($data['idptype'], [AUTH_OIDC_IDP_TYPE_AZURE_AD, AUTH_OIDC_IDP_TYPE_MICROSOFT])) {
if (in_array($data['idptype'], [AUTH_OIDC_IDP_TYPE_MICROSOFT_ENTRA_ID, AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM])) {
// Validate authendpoint.
$authendpointidptype = auth_oidc_determine_endpoint_version($data['authendpoint']);
if ($authendpointidptype != $data['idptype']) {
Expand All @@ -199,7 +199,7 @@ function validation($data, $files) {
}

// Validate oidcresource.
if (in_array($data['idptype'], [AUTH_OIDC_IDP_TYPE_AZURE_AD, AUTH_OIDC_IDP_TYPE_OTHER])) {
if (in_array($data['idptype'], [AUTH_OIDC_IDP_TYPE_MICROSOFT_ENTRA_ID, AUTH_OIDC_IDP_TYPE_OTHER])) {
if (empty(trim($data['oidcresource']))) {
$errors['oidcresource'] = get_string('error_empty_oidcresource', 'auth_oidc');
}
Expand Down
26 changes: 13 additions & 13 deletions auth/oidc/classes/loginflow/authcode.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ protected function getoidcparam($name, $fallback = '') {
public function handleredirect() {
global $CFG, $SESSION;

if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT) {
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
$adminconsent = optional_param('admin_consent', '', PARAM_TEXT);
if ($adminconsent) {
$state = $this->getoidcparam('state');
Expand Down Expand Up @@ -339,7 +339,7 @@ protected function handleauthresponse(array $authparams) {
if (isloggedin() && !isguestuser() && (empty($tokenrec) || (isset($USER->auth) && $USER->auth !== 'oidc'))) {
// If user is already logged in and trying to link Microsoft 365 account or use it for OIDC.
// Check if that Microsoft 365 account already exists in moodle.
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT) {
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
$upn = $idtoken->claim('preferred_username');
if (empty($upn)) {
$upn = $idtoken->claim('email');
Expand Down Expand Up @@ -478,16 +478,16 @@ protected function handlemigration($oidcuniqid, $authparams, $tokenparams, $idto
}

/**
* Determines whether the given Azure AD UPN is already matched to a Moodle user (and has not been completed).
* Determines whether the given Microsoft Entra ID UPN is already matched to a Moodle user (and has not been completed).
*
* @param $aadupn
* @param $entraidupn
* @return false|stdClass Either the matched Moodle user record, or false if not matched.
*/
protected function check_for_matched($aadupn) {
protected function check_for_matched($entraidupn) {
global $DB;

if (auth_oidc_is_local_365_installed()) {
$match = $DB->get_record('local_o365_connections', ['aadupn' => $aadupn]);
$match = $DB->get_record('local_o365_connections', ['entraidupn' => $entraidupn]);
if (!empty($match) && \local_o365\utils::is_o365_connected($match->muserid) !== true) {
return $DB->get_record('user', ['id' => $match->muserid]);
}
Expand Down Expand Up @@ -539,7 +539,7 @@ protected function handlelogin(string $oidcuniqid, array $authparams, array $tok

// Find the latest real Microsoft username.
// Determine remote username depending on IdP type, or fall back to standard 'sub'.
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT) {
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
$oidcusername = $idtoken->claim('preferred_username');
if (empty($oidcusername)) {
$oidcusername = $idtoken->claim('email');
Expand Down Expand Up @@ -671,7 +671,7 @@ protected function handlelogin(string $oidcuniqid, array $authparams, array $tok

$existinguser = core_user::get_user($existingmatching->moodleid);

if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT) {
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
$username = $idtoken->claim('preferred_username');
if (empty($username)) {
$username = $idtoken->claim('email');
Expand All @@ -687,7 +687,7 @@ protected function handlelogin(string $oidcuniqid, array $authparams, array $tok
if (empty($username)) {
$username = $oidcuniqid;

// If upn claim is missing, it can mean either the IdP is not Azure AD, or it's a guest user.
// If upn claim is missing, it can mean either the IdP is not Microsoft Entra ID, or it's a guest user.
if (auth_oidc_is_local_365_installed()) {
$apiclient = \local_o365\utils::get_api();
$userdetails = $apiclient->get_user($oidcuniqid, true);
Expand Down Expand Up @@ -740,8 +740,8 @@ protected function handlelogin(string $oidcuniqid, array $authparams, array $tok
*/

// Generate a Moodle username.
// Use 'upn' if available for username (Azure-specific), or fall back to lower-case oidcuniqid.
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT) {
// Use 'upn' if available for username (Microsoft-specific), or fall back to lower-case oidcuniqid.
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
$username = $idtoken->claim('preferred_username');
if (empty($username)) {
$username = $idtoken->claim('email');
Expand All @@ -757,7 +757,7 @@ protected function handlelogin(string $oidcuniqid, array $authparams, array $tok
if (empty($username)) {
$username = $oidcuniqid;

// If upn claim is missing, it can mean either the IdP is not Azure AD, or it's a guest user.
// If upn claim is missing, it can mean either the IdP is not Microsoft Entra ID, or it's a guest user.
if (auth_oidc_is_local_365_installed()) {
$apiclient = \local_o365\utils::get_api();
$userdetails = $apiclient->get_user($oidcuniqid, true);
Expand All @@ -774,7 +774,7 @@ protected function handlelogin(string $oidcuniqid, array $authparams, array $tok
$matchedwith = $this->check_for_matched($username);
if (!empty($matchedwith)) {
if ($matchedwith->auth != 'oidc') {
$matchedwith->aadupn = $username;
$matchedwith->entraidupn = $username;
throw new moodle_exception('errorusermatched', 'auth_oidc', null, $matchedwith);
}
}
Expand Down
26 changes: 13 additions & 13 deletions auth/oidc/classes/loginflow/base.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ public function get_userinfo($username) {
if (auth_oidc_is_local_365_installed()) {
// Check if multi tenants is enabled. User from additional tenants can only sync fields from token.
$userfromadditionaltenant = false;
$hostingtenantid = get_config('local_o365', 'aadtenantid');
$hostingtenantid = get_config('local_o365', 'microsofttenantid');
$token = jwt::instance_from_encoded($tokenrec->token);
if ($token->claim('tid') != $hostingtenantid) {
$userfromadditionaltenant = true;
Expand Down Expand Up @@ -155,7 +155,7 @@ public function get_userinfo($username) {
}

if (!isset($userdata['userPrincipalName'])) {
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT) {
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
$upn = $token->claim('preferred_username');
if (empty($upn)) {
$upn = $token->claim('email');
Expand Down Expand Up @@ -191,9 +191,9 @@ public function get_userinfo($username) {
$userdata['mail'] = $email;
} else {
if (!empty($upn)) {
$aademailvalidateresult = filter_var($upn, FILTER_VALIDATE_EMAIL);
if (!empty($aademailvalidateresult)) {
$userdata['mail'] = $aademailvalidateresult;
$entraidemailvalidateresult = filter_var($upn, FILTER_VALIDATE_EMAIL);
if (!empty($entraidemailvalidateresult)) {
$userdata['mail'] = $entraidemailvalidateresult;
}
}
}
Expand Down Expand Up @@ -223,7 +223,7 @@ public function get_userinfo($username) {
}

if (!isset($userdata['objectId'])) {
// Use 'oid' if available (Azure-specific), or fall back to standard "sub" claim.
// Use 'oid' if available (Microsoft-specific), or fall back to standard "sub" claim.
$objectid = $token->claim('oid');
if (empty($objectid)) {
$objectid = $token->claim('sub');
Expand All @@ -234,7 +234,7 @@ public function get_userinfo($username) {
}

if (!isset($userdata['userPrincipalName'])) {
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT) {
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
$upn = $token->claim('preferred_username');
if (empty($upn)) {
$upn = $token->claim('email');
Expand Down Expand Up @@ -270,9 +270,9 @@ public function get_userinfo($username) {
$userdata['mail'] = $email;
} else {
if (!empty($upn)) {
$aademailvalidateresult = filter_var($upn, FILTER_VALIDATE_EMAIL);
if (!empty($aademailvalidateresult)) {
$userdata['mail'] = $aademailvalidateresult;
$entraidemailvalidateresult = filter_var($upn, FILTER_VALIDATE_EMAIL);
if (!empty($entraidemailvalidateresult)) {
$userdata['mail'] = $entraidemailvalidateresult;
}
}
}
Expand Down Expand Up @@ -541,7 +541,7 @@ protected function process_idtoken($idtoken, $orignonce = '') {
throw new moodle_exception('errorauthinvalididtoken', 'auth_oidc');
}

// Use 'oid' if available (Azure-specific), or fall back to standard "sub" claim.
// Use 'oid' if available (Microsoft-specific), or fall back to standard "sub" claim.
$oidcuniqid = $idtoken->claim('oid');
if (empty($oidcuniqid)) {
$oidcuniqid = $idtoken->claim('sub');
Expand All @@ -565,7 +565,7 @@ protected function checkrestrictions(jwt $idtoken) {
if ($restrictions !== '') {
$restrictions = explode("\n", $restrictions);
// Check main user identifier claim based on IdP type, and falls back to oidc-standard "sub" if still empty.
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT) {
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
$tomatch = $idtoken->claim('preferred_username');
if (empty($tomatch)) {
$tomatch = $idtoken->claim('email');
Expand Down Expand Up @@ -639,7 +639,7 @@ protected function createtoken($oidcuniqid, $username, $authparams, $tokenparams
$oidcusername = $originalupn;
} else {
// Determine remote username depending on IdP type, or fall back to standard 'sub'.
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT) {
if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
$oidcusername = $idtoken->claim('preferred_username');
if (empty($oidcusername)) {
$oidcusername = $idtoken->claim('email');
Expand Down
4 changes: 2 additions & 2 deletions auth/oidc/classes/oidcclient.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ protected function getauthrequestparams($promptlogin = false, array $stateparams
'redirect_uri' => $this->redirecturi
];

if (get_config('auth_oidc', 'idptype') != AUTH_OIDC_IDP_TYPE_MICROSOFT) {
if (get_config('auth_oidc', 'idptype') != AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
$params['resource'] = $this->tokenresource;
}

Expand Down Expand Up @@ -301,7 +301,7 @@ public function rocredsrequest($username, $password) {
'client_secret' => $this->clientsecret,
];

if (get_config('auth_oidc', 'idptype') != AUTH_OIDC_IDP_TYPE_MICROSOFT) {
if (get_config('auth_oidc', 'idptype') != AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
$params['resource'] = $this->tokenresource;
}

Expand Down
24 changes: 12 additions & 12 deletions auth/oidc/db/upgrade.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -247,18 +247,18 @@ function xmldb_auth_oidc_upgrade($oldversion) {
}

// Part 2: update Authorization and token end point URL.
$aadtenant = get_config('local_o365', 'aadtenant');
$entratenant = get_config('local_o365', 'aadtenant');

if ($aadtenant) {
if ($entratenant) {
$authorizationendpoint = get_config('auth_oidc', 'authendpoint');
if ($authorizationendpoint == 'https://login.microsoftonline.com/common/oauth2/authorize') {
$authorizationendpoint = str_replace('common', $aadtenant, $authorizationendpoint);
$authorizationendpoint = str_replace('common', $entratenant, $authorizationendpoint);
set_config('authendpoint', $authorizationendpoint, 'auth_oidc');
}

$tokenendpoint = get_config('auth_oidc', 'tokenendpoint');
if ($tokenendpoint == 'https://login.microsoftonline.com/common/oauth2/token') {
$tokenendpoint = str_replace('common', $aadtenant, $tokenendpoint);
$tokenendpoint = str_replace('common', $entratenant, $tokenendpoint);
set_config('tokenendpoint', $tokenendpoint, 'auth_oidc');
}
}
Expand Down Expand Up @@ -332,15 +332,15 @@ function xmldb_auth_oidc_upgrade($oldversion) {
$authorizationendpoint = get_config('auth_oidc', 'authendpoint');
if (empty($idptypeconfig)) {
if (!$authorizationendpoint) {
set_config('idptype', AUTH_OIDC_IDP_TYPE_AZURE_AD, 'auth_oidc');
set_config('idptype', AUTH_OIDC_IDP_TYPE_MICROSOFT_ENTRA_ID, 'auth_oidc');
} else {
$endpointversion = auth_oidc_determine_endpoint_version($authorizationendpoint);
switch ($endpointversion) {
case AUTH_OIDC_AAD_ENDPOINT_VERSION_1:
set_config('idptype', AUTH_OIDC_IDP_TYPE_AZURE_AD, 'auth_oidc');
case AUTH_OIDC_MICROSOFT_ENDPOINT_VERSION_1:
set_config('idptype', AUTH_OIDC_IDP_TYPE_MICROSOFT_ENTRA_ID, 'auth_oidc');
break;
case AUTH_OIDC_AAD_ENDPOINT_VERSION_2:
set_config('idptype', AUTH_OIDC_IDP_TYPE_MICROSOFT, 'auth_oidc');
case AUTH_OIDC_MICROSOFT_ENDPOINT_VERSION_2:
set_config('idptype', AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM, 'auth_oidc');
break;
default:
set_config('idptype', AUTH_OIDC_IDP_TYPE_OTHER, 'auth_oidc');
Expand All @@ -364,9 +364,9 @@ function xmldb_auth_oidc_upgrade($oldversion) {
// Update tenantnameorguid config.
$tenantnameorguidconfig = get_config('auth_oidc', 'tenantnameorguid');
if (empty($tenantnameorguidconfig)) {
$aadtenantconfig = get_config('local_o365', 'aadtenant');
if ($aadtenantconfig) {
set_config('tenantnameorguid', $aadtenantconfig, 'auth_oidc');
$entratenant = get_config('local_o365', 'aadtenant');
if ($entratenant) {
set_config('tenantnameorguid', $entratenant, 'auth_oidc');
}
}

Expand Down
Loading

0 comments on commit 9f84a45

Please sign in to comment.