Mahara Community

Forums | Mahara Community

Support /
webservices question

Penny Leach's profile picture
Penny Leach
Posts: 6

04 June 2026, 20:31

Hi Mahara community

I've received an email request that I'm posting here so that everyone in the community can benefit from the answer:

 
We are trying to fill the Mahara site with users, and want to know the following:
 
GOAL:
  • Users should be able to login through both Moodle (LTI) as directly on Mahara through OIDC.
  • Users are created within Mahara by a webservice call through an external system.
 
Questions:
  • To connect the users between Moodle and Mahara, Mahara needs an “auth” and an “external id”. Which values are needed here?
    • I Figured it is the Moodle userid, but that is time-consuming as they then need to get the Moodle user account BEFORE creating the Mahara account. 
      I noticed the value "$cfg->usersuniquebyusername = true;”. Would that be helpful? We use 1 username for all their systems. 
  • How can we setup 2 different AUTH values, as “mahara_user_create_users only accepts 1 auth method in the call:
    • [auth]=webservice&users[0][remoteuser]=somevalue
  • As there might be multiple LTI-links, the database “auth_instance” contains multiple instances of authname “webservices”.  It looks like users are somehow connected via “auth_remote_user”? 
 
So in general:
  • How can we make sure that a users that gets created by the API, gets the correct values so it can login through either OIDC ÁND LTI? What values do we need for both “auth” and “remoteuser”?
     
     
Kristina Hoeppner's profile picture
Kristina Hoeppner
Posts: 5080

OIDC and LTI auth methods and web services calls

08 June 2026, 16:16

Hi,

When you set up an LTI authentication method in a Mahara institution, you can give it a parent authentication method. In your case that would be OIDC. There are then two scenarios:

OIDC first and LTI second

  1. Log in via OIDC:
    • The account is created and the 'auth_remote_user' table gets an entry for the auth method, let's call it auth ID 2 (auth ID 1 = internal).
    • The remote username is the one that is defined as the username in OIDC. Ideally, that's the same username that is also used in Moodle.If it isn't, the magic that is parent auth may not work out of the box if people log in via LTI first.
    • The internal username will be the same, but is irrelevant for the authentication pathway  because we have an external auth method and thus Mahara always checks the remote username.
  2. Then log in via LTI (auth ID 3):
    • A second 'auth_remote_user' table entry is created that is connected to the LTI auth method.
    • LTI also checks if the email address is already in use in the system. If it is and it's in the OIDC auth method of the specific LTI auth method, the person is logged into the account that was created via OIDC. If the email address is used by an account that is not connected to the parent OIDC auth, then the person is not logged in because a new account cannot be created since the email address is already taken. 

LTI first and then OIDC

  1. Log in via LTI:
    • The account is created and entries are made in the 'auth_remote_user' table for both OIDC and LTI auth methods, i.e. auth ID 2 and auth ID 3). So even though you first lo in via the child auth method, an entry is also created in the parent auth method in the 'auth_remote_user' table.
    • Generally, the Moodle username is put into the parent auth method. The LTI auth could then have the email address or the Moodle ID as remote username if it doesn't get the Moodle username.
  2. Then log in via OIDC: Since an entry already exists for the person logging in, they will be logged in instead of having a new account created.

That the means

  • If you use web services to create an account, the Moodle username (or whatever you defined as username for OIDC) needs to be brought along to then be put into the primary auth method (OIDC auth) as remote username in 'auth_remote_user' for OIDC auth. So your web services setup should ensure that the account is created using the parent auth, which is the typical workflow in Mahara.
  • Technically, no entry needs to be made for LTI auth because when the person authenticates via Moodle for the first time, the 'auth_remote_user' table is checked if the account already exist in the parent and LTI auth. If there is no entry for LTI yet, an entry is made for LTI auth.

Why would you have multiple LTI? Do you have a multitenanted setup in Mahara or do you connect multiple Moodle sites into one Mahara? 

'usersuniquebyusername' was created to accommodate multiple Moodle instances going into the same Mahara institution via MNet because each MNet instance would have its own public key and thus needed a separate authentication method. From the code comment:

"When turned on, this setting means that it doesn't matter which other application the user SSOs from, the same username string from a remote SSO will be given the same account in Mahara. This setting is one that has security implications unless only turned on by people who know what they're doing. In particular, every system linked to Mahara should be making sure that same username == same person. This happens for example if two Moodles are using the same LDAP server for authentication. If this setting is on, it must NOT be possible to self register on the site for ANY institution - otherwise users could simply pick usernames of people's accounts they wished to steal."

Technically, if you have multiple Moodle sites connecting into one Mahara institution, you could use the same Mahara LTI credentials in the different Moodle sites and thus would not need to set up multiple LTI connections. If you have set up two LTI, one for the login and one to work with the Mahara assignment submission plugin, you can remove the former because the login web service is included in the latter as well and thus you only need one LTI connection.

Cheers

Kristina

2 results