When using Moodle manual login I am able to get a Moodle web service token for a specific user. 

MOODLE_USERNAME=

MOODLE_PASSWORD=

MOODLE_WEBSERVICE=moodle_mobile_app

curl "http://moodle.example.com/login/token.php?username=$MOODLE_USERNAME&password=$MOODLE_PASSWORD&service=$MOODLE_WEBSERVICE" 

We are using auth_oidc's authorization code flow to allow for single sign-on, but also require fetching Moodle webservice tokens.

My expectation was that I would be able to request a Moodle token by including an authorization header containing a  bearer token from identity provider in token request.

Something along the lines of

BEARER_TOKEN=

curl -H "Authorization: Bearer $BEARER_TOKEN" "http://moodle.example.com/login/token.php?username=$MOODLE_USERNAME&password=$MOODLE_PASSWORD&service=$MOODLE_WEBSERVICE

Or possibly replace the Moodle token with my user's bearer token eg.

curl --data "wstoken=$BEARER_TOKEN&wsfunction=core_course_get_courses&moodlewsrestformat=json" "http://moodle.example.com/webservice/rest/server.php"

However, the only way to retrieve a token is by adding `code` as a query parameter containing the authorization code. 

$AUTHCODE=

curl "http://moodle.example.omc/login/token.php?username=$MOODLE_USERNAME&password=$MOODLE_PASSWORD&service=$MOODLE_WEBSERVICE&code=$AUTHCODE"

We are using Keycloak as our identity provider. The auth code is made up of 3 uuid's concatenated by a full-stop. The 2nd segment is the session id and the 3rd segment is the client id. However, we haven't been able to figure out what the 1st segment is.

I have created an issue with the Microsoft plugins team, who believe it requires a change to /login/token.php. 

Would appreciate your thoughts on the matter.

Thanks for reading.
C