SSO using Moodle Teams Tab Integration does not work

[snowping]

I tried to get SSO for the Moodle Teams Tab Integration to work but without success. Unfortunately after many hours of debugging I decided to raise an issue here.

My setup

• Moodle version 4.1.14 (Build: 20241007)
• Plugin local_o365 4.1.9
• Plugin auth_oidc 4.1.9

Situation

After a user clicks on the Moodle Tab in Teams instead of seamless login a prompt shows with the following buttons:

• "Bei Microsoft 365 anmelden"
• "Login manually"

The button "Bei Microsoft 365 anmelden" opens a pop up using sso_start.php and stuck with the following errors in browser console:

• lib/1.0.17/js/adal.min.js' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
• Uncaught ReferenceError: AuthenticationContext is not defined

The button "Login manually" shows me the normal Moodle Login page where I can click on the Microsoft Login button which authenticates me successfully to Moodle. In other word the standard SSO login works without issues. After I establish a session using "Login manually" the tab redirects me also successfully, probably due to existing cookies.

Analysis

I analyzed why the seamless login using Moodle Tab Integration does not work. In the browser debug console I get a 401 HTTP response on sso_login.php. I then narrowed down the issue using some debug statements in sso_login.php and lib.php.

It seems that the Moodle Tab sends an http header 'authorization' in a JWT format (without bearer prefix) but the code in lib.php expects that the header 'Authorization' starts with 'Bearer ' $authtoken = substr($headers['Authorization'], 7);

When I decode the JWT token sent to sso_login.php it looks good to me.

Question

• Why does o365 moodle plugin expects a 'Bearer ' token?

[snowping]

Since I got it to work now with small changes in lib.php I want to update here what the problem is. The issue in our case was that the HTTP header sent to Moodle is in small capital letter 'authorization' instead of 'Authorization'. Therefore the following code in lib.php did not set the variable $authtoken.

if (function_exists('apache_request_headers')) {
        $headers = apache_request_headers();
        if (isset($headers['Authorization'])) {
            $authtoken = substr($headers['Authorization'], 7);
        }
    }

once we've changed to $headers['authorization'] the SSO login using MS Teams Tab worked.

According to RFC 7230 "Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace." HTTP Headers should be treated case insensitive.

The PHP function apache_request_headers() is case sensitive. Imho, we should patch the lib.php in order to set variable $authtoken independent of case sensitivity.

in regards to token format, although I can see that the JWT token is sent without 'Bearer ' prefix it workes nevertheless. So I was not required to remove the substr function.

[snowping]

I've created a PR with a fix to this problem: #2707

[snowping]

@weilai-irl thanks for looking into this.

Is there a way to get rid of the "initial login required" issue? When a user tries to login for the first time both login buttons are showed "Login with Microsoft 365" and "Login manually".

Unfortunately both are not working. The first is not working due to some CORS issues it seems and the second one is forbidden within an iframe by Microsoft.

The only way users can login the first time is by leaving Microsoft Teams and login in directly using the "SSO Button". This however is very bad for the user expierence. The enclosed PR fix only fixes the issue after the first login has been made (also without a valid session to moodle).