Hi, I’m validating an integration architecture between CAS, Moodle, and an external application.
Current setup: - IdP: CAS - SP: Moodle (CAS-only authentication) - Client: External web app (not Moodle Mobile) - Backend: We can run our own BFF/server, but we cannot modify Moodle core/plugins or do deep Moodle server changes. Goal: After a student signs in via CAS SSO, our external app should call Moodle Web Services as that same student (e.g., assignment/file operations), ideally using a per-user Moodle WS token. Constraint: Because authentication is SSO-based, our app does not collect the student password, so standard Moodle token flows based on username/password are not usable. Questions: 1) CAS proxying: Does CAS Proxy Protocol (PGT/PT) help in this scenario? Can CAS issue something that Moodle can exchange for a user WS token without Moodle custom development? Or does CAS impersonation works? 2) Responsibility boundary: Is this correct? - CAS can assert identity/authentication. - Moodle alone controls WS token issuance/acceptance. - Therefore CAS cannot directly mint or force Moodle WS user tokens unless Moodle explicitly supports that bridge. 3) Recommended pattern: With these constraints, is there a supported pattern (CAS/OIDC/OAuth bridge) to achieve per-user Moodle API access from an external app, or is Moodle-side implementation required? My current assumption is that this requires Moodle-side support (or a different integration approach), and I want to confirm, As my team keeps pushing this is a CAS only problem and i'm so lost. Thanks. -- -------------------------------------------------------------------------------------------------------------- Visita la pagina de la UAM Azcapotzalco (https://www.azc.uam.mx <https://www.azc.uam.mx>) Este mensaje y sus anexos pueden contener información confidencial. Si usted no es el destinatario de este mensaje, se le notifica que cualquier revisión, retransmisión, distribución, copiado u otro uso o acto realizado con base en o relacionado con el contenido de este mensaje y sus anexos, están prohibidos. Si usted ha recibido este mensaje y sus anexos por error, le suplicamos lo notifique al remitente respondiendo el presente correo electrónico y borre el presente y sus anexos de su sistema sin conservar copia de los mismos. Muchas gracias. This message and the attachments to it may contain information which is confidential. if your are not the intended recipient(s) for this message, you are on notice that any review, retransmission, dissemination, distribution, copying orother use or taking any action based upon or relative to the information contained in this message and its attachments, is prohibited. If you are not the intended recipient(s) of this message or its attachments, please immediately advise the sender by reply e-mail and delete this message and its attachments from your system without keeping a copy. Thank you. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/39eb931a-c508-4d85-a207-d152069d62a1n%40apereo.org.
