← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #63190

[Bug 1943772] [NEW] Potential LTI duplicating accounts with parent auth

  Thread PreviousDate PreviousThread Next 
Public bug reported:

There is a problem in module_lti_launch.php when using SAML as parent
auth

If a person does not exist they are created via create_user() function
and this function will check if the auth method they are created with
needs a remote username and if so adds a row to the "auth_remote_user"
table too.

Then module_lti_launch.php creates a row in "auth_remote_user" table for
the parent auth (SAML) if the auth method has a parent auth.

So we end up with 2 rows

But the problem is when we have a parent auth (SAML) as the parent we pass in the parent authinstance id to be the one saved in "usr" table.
So we end up with both the rows being connected to the parent auth because we pass in the parent authinstance id when creating the person.

When we then login again via LTI it finds the person by email and
updates the "auth_remote_user" table but this time adds the row
correctly with the LTI authinstance id.

So we end up with 3 rows - but we should only have two.


what we should do is if the LTI auth instance has a parent auth and that parent auth allows adding to remote table add that one first, via create_user(), then add the one for LTI

** Affects: mahara
     Importance: High
     Assignee: Robert Lyon (robertl-9)
         Status: In Progress

** Description changed:

  There is a problem in module_lti_launch.php when using SAML as parent
  auth
  
  If a person does not exist they are created via create_user() function
  and this function will check if the auth method they are created with
  needs a remote username and if so adds a row to the "auth_remote_user"
  table too.
  
  Then module_lti_launch.php creates a row in "auth_remote_user" table for
  the parent auth (SAML) if the auth method has a parent auth.
  
  So we end up with 2 rows
  
- But the problem is when we have a parent auth (SAML) as the parent we pass in the parent authinstance id to be the one saved in "usr" table. 
+ But the problem is when we have a parent auth (SAML) as the parent we pass in the parent authinstance id to be the one saved in "usr" table.
  So we end up with both the rows being connected to the parent auth because we pass in the parent authinstance id when creating the person.
  
  When we then login again via LTI it finds the person by email and
  updates the "auth_remote_user" table but this time adds the row
  correctly with the LTI authinstance id.
  
  So we end up with 3 rows - but we should only have two.
+ 
+ 
+ what we should do is if the LTI auth instance has a parent auth and that parent auth allows adding to remote table add that one first, via create_user(), then add the one for LTI

** Changed in: mahara
    Milestone: None => 21.10.0

** Changed in: mahara
     Assignee: (unassigned) => Robert Lyon (robertl-9)

** Changed in: mahara
   Importance: Undecided => High

** Changed in: mahara
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1943772

Title:
  Potential LTI duplicating accounts with parent auth

Status in Mahara:
  In Progress

Bug description:
  There is a problem in module_lti_launch.php when using SAML as parent
  auth

  If a person does not exist they are created via create_user() function
  and this function will check if the auth method they are created with
  needs a remote username and if so adds a row to the "auth_remote_user"
  table too.

  Then module_lti_launch.php creates a row in "auth_remote_user" table
  for the parent auth (SAML) if the auth method has a parent auth.

  So we end up with 2 rows

  But the problem is when we have a parent auth (SAML) as the parent we pass in the parent authinstance id to be the one saved in "usr" table.
  So we end up with both the rows being connected to the parent auth because we pass in the parent authinstance id when creating the person.

  When we then login again via LTI it finds the person by email and
  updates the "auth_remote_user" table but this time adds the row
  correctly with the LTI authinstance id.

  So we end up with 3 rows - but we should only have two.

  
  what we should do is if the LTI auth instance has a parent auth and that parent auth allows adding to remote table add that one first, via create_user(), then add the one for LTI

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1943772/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next