Moodle APIs 4.3
Moodle 4.3.6 (Build: 20240812)
|
LTI Authentication plugin. More...
Public Member Functions | |
__construct () | |
Constructor. | |
can_be_manually_set () | |
Returns whether or not this authentication plugin can be manually set for users, for example, when bulk uploading users. | |
can_change_password () | |
Returns true if this authentication plugin can change the users' password. | |
can_confirm () | |
Returns true if plugin allows confirming of new users. | |
can_edit_profile () | |
Returns true if this authentication plugin can edit the users' profile. | |
can_reset_password () | |
Returns true if plugin allows resetting of internal password. | |
can_signup () | |
Returns true if plugin allows resetting of internal password. | |
change_password_url () | |
Returns the URL for changing the users' passwords, or empty if the default URL can be used. | |
complete_login (array $launchdata, moodle_url $returnurl, int $provisioningmode, array $legacyconsumersecrets=[]) | |
Authenticate the user based on the unique {iss, sub} tuple present in the OIDC JWT. | |
config_form ($config, $err, $user_fields) | |
Prints a form for configuring this authentication plugin. | |
create_user_binding (string $iss, string $sub, int $userid) | |
Create a binding between the LTI user, as identified by {iss, sub} tuple and the user id. | |
edit_profile_url () | |
Returns the URL for editing the users' profile, or empty if the default URL can be used. | |
find_or_create_user_from_launch (array $launchdata, array $legacyconsumersecrets=[]) | |
Get a Moodle user account for the LTI user corresponding to the user defined in a link launch. | |
find_or_create_user_from_membership (array $member, string $iss, string $legacyconsumerkey='') | |
Get a Moodle user account for the LTI user based on the user details returned by a NRPS 2 membership call. | |
get_custom_user_profile_fields () | |
Return custom user profile fields. | |
get_description () | |
Get the auth description (from core or own auth lang files) | |
get_extrauserinfo () | |
Returns extra user information. | |
get_password_change_info (stdClass $user) | |
Returns information on how the specified user can change their password. | |
get_title () | |
Return the properly translated human-friendly title of this auth plugin. | |
get_user_binding (string $issuer, string $sub) | |
Gets the id of the linked Moodle user account for an LTI user, or null if not found. | |
get_userinfo ($username) | |
Read user information from external database and returns it as array(). | |
ignore_timeout_hook ($user, $sid, $timecreated, $timemodified) | |
Hook called before timing out of database session. | |
is_captcha_enabled () | |
Returns whether or not the captcha element is enabled. | |
is_configured () | |
Returns false if this plugin is enabled but not configured. | |
is_internal () | |
Returns true if this authentication plugin is "internal". | |
is_synchronised_with_external () | |
Indicates if moodle should automatically update internal user records with data from external sources using the information from get_userinfo() method. | |
object | loginpage_hook () |
Hook for overriding behaviour of login page. | |
loginpage_idp_list ($wantsurl) | |
Returns a list of potential IdPs that this authentication plugin supports. | |
object | logoutpage_hook () |
Hook for overriding behaviour of logout page. | |
password_expire ($username) | |
return number of days to user password expires | |
postlogout_hook ($user) | |
Post logout hook. | |
pre_loginpage_hook () | |
Hook for overriding behaviour before going to the login page. | |
pre_user_login_hook (&$user) | |
Pre user_login hook. | |
object | prelogout_hook () |
Pre logout hook. | |
prevent_local_passwords () | |
Indicates if password hashes should be stored in local moodle database. | |
process_config ($config) | |
Processes and stores configuration data for this authentication plugin. | |
set_extrauserinfo (array $values) | |
Set extra user information. | |
signup_form () | |
Return a form to capture user details for account creation. | |
sync_roles ($user) | |
Sync roles for this user - usually creator. | |
update_user_account (stdClass $user, array $userdata, string $iss) | |
Update the personal fields of the user account, based on data present in either a launch of member sync call. | |
user_authenticated_hook (&$user, $username, $password) | |
Post authentication hook. | |
user_confirm ($username, $confirmsecret) | |
Confirm the new user as registered. | |
user_delete ($olduser) | |
User delete requested - internal user record is mared as deleted already, username not present anymore. | |
user_exists ($username) | |
Checks if user exists in external db. | |
user_login ($username, $password) | |
Users can not log in via the traditional login form. | |
user_signup ($user, $notify=true) | |
Sign up a new user ready for confirmation. | |
user_update ($olduser, $newuser) | |
Called when the user record is updated. | |
user_update_password ($user, $newpassword) | |
Updates the user's password. | |
validate_form ($form, &$err) | |
A chance to validate form data, and last chance to do stuff before it is inserted in config_plugin. | |
Static Public Member Functions | |
static | get_identity_providers ($authsequence) |
Return the list of enabled identity providers. | |
static | prepare_identity_providers_for_output ($identityproviders, renderer_base $output) |
Prepare a list of identity providers for output. | |
Public Attributes | |
string | $authtype |
Authentication plugin type - the same as db field. | |
object | $config |
The configuration details for the plugin. | |
array | $userfields = core_user::AUTHSYNCFIELDS |
int const | PROVISIONING_MODE_AUTO_ONLY = 1 |
constant representing the automatic account provisioning mode. | |
int const | PROVISIONING_MODE_PROMPT_EXISTING_ONLY = 3 |
constant representing the prompt for existing only provisioning mode. | |
int const | PROVISIONING_MODE_PROMPT_NEW_EXISTING = 2 |
constant representing the prompt for new or existing provisioning mode. | |
Protected Member Functions | |
create_new_account (array $userdata, string $iss) | |
Create a new user account based on the user data either in the launch JWT or from a membership call. | |
empty_session () | |
If there's an existing session, inits an empty session. | |
is_valid_provisioning_mode (int $mode) | |
Check whether a provisioning mode is valid or not. | |
update_user_picture (int $userid, string $url) | |
Update the user's picture with the image stored at $url. | |
update_user_record ($username, $updatekeys=false, $triggerevent=false, $suspenduser=false) | |
Update a local user record from an external source. | |
Protected Attributes | |
string | $errorlogtag = '' |
The tag we want to prepend to any error log messages. | |
array | $extrauserinfo = [] |
Stores extra information available to the logged in event. | |
LTI Authentication plugin.
|
inherited |
Returns whether or not this authentication plugin can be manually set for users, for example, when bulk uploading users.
This should be overriden by authentication plugins where setting the authentication method manually is allowed.
bool |
Reimplemented in auth_oauth2\auth, auth_plugin_email, auth_plugin_ldap, auth_plugin_manual, auth_plugin_nologin, and auth_plugin_none.
|
inherited |
Returns true if this authentication plugin can change the users' password.
bool |
Reimplemented in auth_oauth2\auth, auth_plugin_cas, auth_plugin_db, auth_plugin_email, auth_plugin_ldap, auth_plugin_manual, auth_plugin_mnet, auth_plugin_nologin, auth_plugin_none, auth_plugin_shibboleth, and auth_plugin_webservice.
|
inherited |
Returns true if plugin allows confirming of new users.
bool |
Reimplemented in auth_plugin_email, and auth_plugin_ldap.
|
inherited |
Returns true if this authentication plugin can edit the users' profile.
bool |
|
inherited |
Returns true if plugin allows resetting of internal password.
bool |
Reimplemented in auth_oauth2\auth, auth_plugin_db, auth_plugin_email, auth_plugin_ldap, auth_plugin_manual, auth_plugin_nologin, auth_plugin_none, and auth_plugin_webservice.
|
inherited |
Returns true if plugin allows resetting of internal password.
bool |
Reimplemented in auth_plugin_email, and auth_plugin_ldap.
|
inherited |
Returns the URL for changing the users' passwords, or empty if the default URL can be used.
This method is used if can_change_password() returns true. This method is called only when user is logged in, it may use global $USER. If you are using a plugin config variable in this method, please make sure it is set before using it, as this method can be called even if the plugin is disabled, in which case the config values won't be set.
moodle_url | url of the profile page or null if standard used |
Reimplemented in auth_oauth2\auth, auth_plugin_cas, auth_plugin_db, auth_plugin_email, auth_plugin_ldap, auth_plugin_manual, auth_plugin_mnet, auth_plugin_none, auth_plugin_shibboleth, and auth_plugin_webservice.
auth_plugin_lti::complete_login | ( | array | $launchdata, |
moodle_url | $returnurl, | ||
int | $provisioningmode, | ||
array | $legacyconsumersecrets = [] ) |
Authenticate the user based on the unique {iss, sub} tuple present in the OIDC JWT.
This method ensures a Moodle user account has been found or is created, that the user is linked to the relevant LTI Advantage credentials (iss, sub) and that the user account is logged in.
Launch code can therefore rely on this method to get a session before doing things like calling require_login().
This method supports two workflows:
Which workflow is chosen depends on the roles present in the JWT. For teachers/admins, manual provisioning will take place. These user type are likely to have existing accounts. For learners, automatic provisioning will take place.
Migration of legacy users is supported, however, only for the Learner role (automatic provisioning). Admins and teachers are likely to have existing accounts and we want them to be able to select and bind these, rather than binding an automatically provisioned legacy account which doesn't represent their real user account.
The JWT data must be verified elsewhere. The code here assumes its integrity/authenticity.
array | $launchdata | the JWT data provided in the link launch. |
moodle_url | $returnurl | the local URL to return to if authentication workflows are required. |
int | $provisioningmode | the desired account provisioning mode, which controls the auth flow for unbound users. |
array | $legacyconsumersecrets | an array of secrets used by the legacy consumer if a migration claim exists. |
coding_exception | if the specified provisioning mode is invalid. |
|
inherited |
Prints a form for configuring this authentication plugin.
This function is called from admin/auth.php, and outputs a full page with a form for configuring this plugin.
object | $config | |
object | $err | |
array | $user_fields |
|
protected |
Create a new user account based on the user data either in the launch JWT or from a membership call.
array | $userdata | the user data coming from either a launch or membership service call. |
string | $iss | the issuer to which the user belongs. |
stdClass | a complete Moodle user record. |
auth_plugin_lti::create_user_binding | ( | string | $iss, |
string | $sub, | ||
int | $userid ) |
Create a binding between the LTI user, as identified by {iss, sub} tuple and the user id.
string | $iss | the issuer URL identifying the platform to which to user belongs. |
string | $sub | the sub string identifying the user on the platform. |
int | $userid | the id of the Moodle user account to bind. |
|
inherited |
Returns the URL for editing the users' profile, or empty if the default URL can be used.
This method is used if can_edit_profile() returns true. This method is called only when user is logged in, it may use global $USER.
moodle_url | url of the profile page or null if standard used |
|
protected |
If there's an existing session, inits an empty session.
void |
auth_plugin_lti::find_or_create_user_from_launch | ( | array | $launchdata, |
array | $legacyconsumersecrets = [] ) |
Get a Moodle user account for the LTI user corresponding to the user defined in a link launch.
This method supports migration of user accounts used in legacy launches, provided the legacy consumer secrets corresponding to the legacy consumer are provided. If calling code wishes migration to be role-specific, it should check roles accordingly itself and pass relevant data in - as auth_plugin_lti\complete_login() does.
array | $launchdata | all data in the decoded JWT including iss and sub. |
array | $legacyconsumersecrets | all secrets found for the legacy consumer, facilitating user migration. |
stdClass | the Moodle user who is mapped to the platform user identified in the JWT data. |
auth_plugin_lti::find_or_create_user_from_membership | ( | array | $member, |
string | $iss, | ||
string | $legacyconsumerkey = '' ) |
Get a Moodle user account for the LTI user based on the user details returned by a NRPS 2 membership call.
This method expects a single member structure, in array format, as defined here: See: https://www.imsglobal.org/spec/lti-nrps/v2p0#membership-container-media-type.
This method supports migration of user accounts used in legacy launches, provided the legacy consumerkey corresponding to to the legacy consumer is provided. Calling code will have verified the migration claim during initial launches and should have the consumer key mapped to the deployment, ready to pass in.
array | $member | the member data, in array format. |
string | $iss | the issuer to which the member relates. |
string | $legacyconsumerkey | optional consumer key mapped to the deployment to facilitate user migration. |
stdClass | a Moodle user record. |
|
inherited |
Return custom user profile fields.
array | list of custom fields. |
|
inherited |
Get the auth description (from core or own auth lang files)
string | The description |
|
inherited |
Returns extra user information.
array | An array of keys and values |
|
staticinherited |
Return the list of enabled identity providers.
Each identity provider data contains the keys url, name and iconurl (or icon). See the documentation of auth_plugin_base::loginpage_idp_list() for detailed description of the returned structure.
array | $authsequence | site's auth sequence (list of auth plugins ordered) |
array | List of arrays describing the identity providers |
|
inherited |
Returns information on how the specified user can change their password.
stdClass | $user | A user object |
string[] | An array of strings with keys subject and message |
Reimplemented in auth_oauth2\auth, and auth_plugin_nologin.
|
inherited |
Return the properly translated human-friendly title of this auth plugin.
auth_plugin_lti::get_user_binding | ( | string | $issuer, |
string | $sub ) |
Gets the id of the linked Moodle user account for an LTI user, or null if not found.
string | $issuer | the issuer to which the user belongs. |
string | $sub | the sub string identifying the user on the issuer. |
int|null | the id of the corresponding Moodle user record, or null if not found. |
|
inherited |
Read user information from external database and returns it as array().
Function should return all information available. If you are saving this information to moodle user-table you should honour synchronisation flags
string | $username | username |
mixed | array with no magic quotes or false on error |
Reimplemented in auth_oauth2\auth, auth_plugin_cas, auth_plugin_db, auth_plugin_ldap, and auth_plugin_shibboleth.
|
inherited |
Hook called before timing out of database session.
This is useful for SSO and MNET.
object | $user | |
string | $sid | session id |
int | $timecreated | start of session |
int | $timemodified | user last seen |
bool | true means do not timeout session yet |
|
inherited |
Returns whether or not the captcha element is enabled.
@abstract Implement in child classes
bool |
Reimplemented in auth_plugin_email.
|
inherited |
Returns false if this plugin is enabled but not configured.
bool |
Reimplemented in auth_plugin_db.
|
inherited |
Returns true if this authentication plugin is "internal".
Internal plugins use password hashes from Moodle user table for authentication.
bool |
Reimplemented in auth_oauth2\auth, auth_plugin_cas, auth_plugin_db, auth_plugin_email, auth_plugin_ldap, auth_plugin_manual, auth_plugin_mnet, auth_plugin_nologin, auth_plugin_none, auth_plugin_shibboleth, and auth_plugin_webservice.
|
inherited |
Indicates if moodle should automatically update internal user records with data from external sources using the information from get_userinfo() method.
bool | true means automatically copy data from ext to user table |
Reimplemented in auth_oauth2\auth, and auth_plugin_db.
|
protected |
Check whether a provisioning mode is valid or not.
int | $mode | the mode |
bool | true if valid for use, false otherwise. |
|
inherited |
Hook for overriding behaviour of login page.
This method is called from login/index.php page for all enabled auth plugins.
@global object
Reimplemented in auth_plugin_cas, auth_plugin_ldap, and auth_plugin_shibboleth.
|
inherited |
Returns a list of potential IdPs that this authentication plugin supports.
This is used to provide links on the login page and the login block.
The parameter $wantsurl is typically used by the plugin to implement a return-url feature.
The returned value is expected to be a list of associative arrays with string keys:
For legacy reasons, pre-3.3 plugins can provide the icon via the key:
string | $wantsurl | The relative url fragment the user wants to get to. |
array | List of associative arrays with keys url, name, iconurl|icon |
Reimplemented in auth_oauth2\auth, auth_plugin_cas, auth_plugin_mnet, and auth_plugin_shibboleth.
|
inherited |
Hook for overriding behaviour of logout page.
This method is called from login/logout.php page for all enabled auth plugins.
@global string
Reimplemented in auth_plugin_cas, auth_plugin_mnet, and auth_plugin_shibboleth.
|
inherited |
return number of days to user password expires
If userpassword does not expire it should return 0. If password is already expired it should return negative value.
mixed | $username | username (with system magic quotes) |
integer |
Reimplemented in auth_plugin_ldap, and auth_plugin_manual.
|
inherited |
Post logout hook.
This method is used after moodle logout by auth classes to execute server logout.
stdClass | $user | clone of USER object before the user session was terminated |
Reimplemented in auth_plugin_cas.
|
inherited |
Hook for overriding behaviour before going to the login page.
This method is called from require_login from potentially any page for all enabled auth plugins and gives each plugin a chance to redirect directly to an external login page, or to instantly login a user where possible.
If an auth plugin implements this hook, it must not rely on ONLY this hook in order to work, as there are many ways a user can browse directly to the standard login page. As a general rule in this case you should also implement the loginpage_hook as well.
|
inherited |
Pre user_login hook.
This method is called from authenticate_user_login() right after the user object is generated. This gives the auth plugins an option to make adjustments before the verification process starts.
object | $user | user object, later used for $USER |
|
inherited |
Pre logout hook.
This method is called from require_logout() for all enabled auth plugins,
Reimplemented in auth_plugin_mnet.
|
staticinherited |
Prepare a list of identity providers for output.
array | $identityproviders | as returned by self::get_identity_providers() |
renderer_base | $output |
array | the identity providers ready for output |
|
inherited |
Indicates if password hashes should be stored in local moodle database.
bool | true means md5 password hash stored in user table, false means flag 'not_cached' stored there instead |
Reimplemented in auth_oauth2\auth, auth_plugin_cas, auth_plugin_db, auth_plugin_email, auth_plugin_ldap, auth_plugin_manual, auth_plugin_mnet, auth_plugin_nologin, auth_plugin_none, and auth_plugin_shibboleth.
|
inherited |
Processes and stores configuration data for this authentication plugin.
object | object with submitted configuration settings (without system magic quotes) |
|
inherited |
Set extra user information.
array | $values | Any Key value pair. |
void |
|
inherited |
Return a form to capture user details for account creation.
This is used in /login/signup.php.
moodle_form | A form which edits a record from the user table. |
|
inherited |
Sync roles for this user - usually creator.
$user | object user object (without system magic quotes) |
Reimplemented in auth_plugin_ldap.
auth_plugin_lti::update_user_account | ( | stdClass | $user, |
array | $userdata, | ||
string | $iss ) |
Update the personal fields of the user account, based on data present in either a launch of member sync call.
stdClass | $user | the Moodle user account to update. |
array | $userdata | the user data coming from either a launch or membership service call. |
string | $iss | the issuer to which the user belongs. |
|
protected |
Update the user's picture with the image stored at $url.
int | $userid | the id of the user to update. |
string | $url | the string URL where the new image can be found. |
moodle_exception | if there were any problems updating the picture. |
|
protectedinherited |
Update a local user record from an external source.
This is a lighter version of the one in moodlelib – won't do expensive ops such as enrolment.
string | $username | username |
array | $updatekeys | fields to update, false updates all fields. |
bool | $triggerevent | set false if user_updated event should not be triggered. This will not affect user_password_updated event triggering. |
bool | $suspenduser | Should the user be suspended? |
stdClass|bool | updated user record or false if there is no new info to update. |
|
inherited |
Post authentication hook.
This method is called from authenticate_user_login() for all enabled auth plugins.
object | $user | user object, later used for $USER |
string | $username | (with system magic quotes) |
string | $password | plain text password (with system magic quotes) |
|
inherited |
Confirm the new user as registered.
string | $username | |
string | $confirmsecret |
Reimplemented in auth_oauth2\auth, auth_plugin_email, auth_plugin_ldap, auth_plugin_manual, and auth_plugin_webservice.
|
inherited |
User delete requested - internal user record is mared as deleted already, username not present anymore.
Do any action in external database.
object | $user | Userobject before delete (without system magic quotes) |
void |
|
inherited |
Checks if user exists in external db.
string | $username | (with system magic quotes) |
bool |
Reimplemented in auth_plugin_db, and auth_plugin_ldap.
auth_plugin_lti::user_login | ( | $username, | |
$password ) |
Users can not log in via the traditional login form.
string | $username | The username |
string | $password | The password |
bool | Authentication success or failure |
Reimplemented from auth_plugin_base.
|
inherited |
Sign up a new user ready for confirmation.
Password is passed in plaintext.
object | $user | new user object |
boolean | $notify | print notice with link and terminate |
Reimplemented in auth_plugin_email, and auth_plugin_ldap.
|
inherited |
Called when the user record is updated.
Modifies user in external database. It takes olduser (before changes) and newuser (after changes) compares information saved modified information to external db.
mixed | $olduser | Userobject before modifications (without system magic quotes) |
mixed | $newuser | Userobject new modified userobject (without system magic quotes) |
boolean | true if updated or update ignored; false if error |
Reimplemented in auth_plugin_db, and auth_plugin_ldap.
|
inherited |
Updates the user's password.
In previous versions of Moodle, the function auth_user_update_password accepted a username as the first parameter. The revised function expects a user object.
object | $user | User table object |
string | $newpassword | Plaintext password |
bool | True on success |
Reimplemented in auth_plugin_db, auth_plugin_email, auth_plugin_ldap, auth_plugin_manual, auth_plugin_nologin, auth_plugin_none, and auth_plugin_webservice.
|
inherited |
A chance to validate form data, and last chance to do stuff before it is inserted in config_plugin.
object | object with submitted configuration settings (without system magic quotes) | |
array | $err | array of error messages |
int const auth_plugin_lti::PROVISIONING_MODE_AUTO_ONLY = 1 |
constant representing the automatic account provisioning mode.
On first launch, for a previously unbound user, this mode dictates that a new Moodle account will be created automatically for the user and bound to their platform credentials {iss, sub}.
int const auth_plugin_lti::PROVISIONING_MODE_PROMPT_EXISTING_ONLY = 3 |
constant representing the prompt for existing only provisioning mode.
On first launch, for a previously unbound user, the mode dictates that the launch user will be presented with a view allowing them to link an existing account only. This is useful for situations like deep linking, where an existing account is needed.
int const auth_plugin_lti::PROVISIONING_MODE_PROMPT_NEW_EXISTING = 2 |
constant representing the prompt for new or existing provisioning mode.
On first launch, for a previously unbound user, the mode dictates that the launch user will be presented with an options view, allowing them to select either 'link an existing account' or 'create a new account for me'.