Drupal 8 and Moodle 3.5 - Logout not working

[kirthanaraja]

Login from Drupal to Moodle is working fine but logout from Drupal is not logging out Moodle session and vice-versa. If i logout moodle session, it sends logout request to Drupal but throws 403 error. Any ideas on fixing this issue?

Bug: In Logout url, an additional backslash has been added on line 238.

[goose2000]

I have this problem: try to logout of Moodle, doesn't work, and Drupal session is still going. Using D8 & M3.5 too. Checking out line 238.

[JackG102]

I realize this is like a 5 year old issue, but has this been resolved? I have been searching a number of threads with some of the fixes and could not get the Moodle Logout -> Drupal Logout to work. I have Drupal Logout -> Moodle Logout working though.

What and where is this line 238 referring to a '/'? In auth.php?

I am currently using Drupal 9 and Moodle 3.11. I am using the 3.x dev version of the moodle drupal services plugin.

Equivocation -- I am Drupal developer that is learning Moodle as I go.

[goose2000]

Hi, been a minute but yes, I think that's where my attention was auth.php - logoutpage_hook()

My other idea was to look at the older code with (D7) and M 3.x - always worked fine. Just letting you know I'm still here. Thanks for looking.

[JackG102]

Thanks for the comment and clarification :) -- I will be continuing to poke around and testing. I'll post what I find here when I get it resolved for my situation.

[JackG102]

After some digging and a number of var_dump statements, $ret variable is returning null on line 243 line in the screenshot above. I jerry-rigged the code as well to return TRUE just to see what would happen and it did not log me out of Drupal. But then, I got thinking about this Logout method that was defined in the REST-API.php file

I found out that in 2016, Drupal 8+ added a new CSRF token that was specific to logging out of Drupal. In effect, there is 2 CSRF tokens now for Drupal. It looks like you have to use this CSRF logout token to log out of Drupal if it's coming from a curl/external request (in our instance coming from Moodle).

The updates to the Moodle SSO module for D8 do not seem to account for this, and there is even a comment in the Moodle module code as a "TODO" on this very point. See the REST-API.php, line 241 of 3.x dev branch.

I am going to continue to see if anyone on the issues board on github for this module actually got this working without this (I've been wrong before), but it seems like this might actually be 'feature request'. I do not want to jump the gun, but there might be needed a new method to grab this token and define it on the RemoteAPI Object.

Various related links on this logout CSRF token: https://drupal.stackexchange.com/questions/259052/rest-logout-without-logout-token, https://stackoverflow.com/questions/56702693/log-out-from-drupal-8-with-rest, and https://drupal.stackexchange.com/questions/269114/is-there-a-rest-endpoint-for-getting-the-logout-token .

Seems like this logout token is generated only once on the initial request and cannot be retrieved again. I am in a bit of uncharted water. There is a PR for Drupal Core to expose the logout token (https://www.drupal.org/project/drupal/issues/3004421), so that it can be requested on demand, but currently it's not default behavior for Drupal.

Just some thoughts and threads that I am pulling.

**Edit: **

In REST-API.php, there is some extra verbiage also about a logout token, but not knowing what it does. I am going to fiddle now and will report back who knows when, but I'll see if I can make a breakthrough on it.

[JackG102]

Ok, so I worked more on this and found a non-intensive, code solution that our project is going to go with that logs out a user in Moodle and then Drupal. Ultimately, it is a work around, but I think a good one (at least for us).

• In Moodle's config.php, specify the logout url as the Drupal logout page: $CFG->logouturl = 'your_drupal_url/user/logout';
• This means that when a person signs out of Moodle, they are redirected to the Drupal logout page. On the Drupal logout page, the user is automatically logged out of Drupal and then redirected to the Drupal homepage (which is what our current project's business requirements ask for).
• I realize this workaround isn't applicable to all projects, but it does work for us.

At a very high level, from what I can tell for this to be fixed in the module, one has to:

• Store the logout key in a cookie? Because it can never be accessed again once generated upon login. Then, in the logout method of the REST-API.php, get the value and add it to the RemoteAPI object that needs it.
• Or, go with creating an endpoint in Drupal that spits out the logout key that can be fetched and added to the curl request in the logout method and add it to the RemoteAPI object.
• Or another approach that I have not thought of.