Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-82719

Passwordless SSO auth plugins with $CFG->passwordpolicycheckonlogin outputs confusing notification to users

XMLWordPrintable

    • MOODLE_404_STABLE

      SSO style auth plugins that don't have a 'password' per se currently are able to use authenticate_user_login when $CFG->passwordpolicycheckonlogin is enabled, however, it gives a confusing notification to users telling them their password is not good enough but in reality they don't have a password at all (because they are using sso)

      https://github.com/moodle/moodle/blob/c1463895d909245ee188fab39140f59b0eaeb847/lib/moodlelib.php#L3937

      This is because they call this function with a null password (because there truly isn't one), which should skip this check and not output any notification, but instead outputs "Your current password no longer passes the set password policy. Please contact your Moodle administrator for assistance"

      Some existing SSO auth plugins seem to get around this by supplying a garbage/random password, e.g.:

      However I think its a hacky fix to generate a garbage password, instead auth plugins with null passwords should be supported properly.

      To reproduce:

      • Enable passwordpolicycheckonlogin
      • Have an SSO auth plugin installed which does not have passwords i.e. can_change_password() and can_reset_password() both return false and passes a null password

            Unassigned Unassigned
            matthewhilton Matthew Hilton
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.