Totara Learn Open Discussions

POST authentication when using webservices - TL-42916

 
Natalia Kurikova
POST authentication when using webservices - TL-42916
de Natalia Kurikova - Monday, 25 de August de 2025, 15:16
Grupo Helpful contributor 2024Grupo Learn Site AdministratorGrupo Most helpful contributor 2023

Hello 👋🏻

I was wondering if you could provide more information of what this change actually entails:
TL-42916 Enforced POST for authentication parameters when using REST webservice protocol

Previously, we had this set up as a GET request (and it used to work):

https://WWWROOT/webservice/rest/server.php?wsfunction=core_webservice_get_site_info&moodlewsrestformat=json&wstoken=EXAMPLETOKEN

From my testing, this is now returning "Invalid token - token not found" response.

I was able to get it working by switching to a POST request and including the token into the body:

```
POST /webservice/rest/server.php?wsfunction=core_enrol_get_enrolled_users&moodlewsrestformat=json&courseid=17 HTTP/1.1

Host: WWWROOT

Content-Length: 162

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBOUNDARYSTRING

------WebKitFormBoundaryBOUNDARYSTRING

Content-Disposition: form-data; name="wstoken"

EXAMPLE TOKEN

------WebKitFormBoundaryBOUNDARYSTRING

```

Could someone clarify if this enforcement means that tokens must now always be passed via POST with the token in the body (not in the header), or if there’s another recommended approach?

 
Enlace permanente | Responder
Craig Eves
Re: POST authentication when using webservices - TL-42916
de Craig Eves (Totara Support) - Monday, 25 de August de 2025, 20:38
 

Hi Natalia

POST is required for passing tokens if using the XML-RPC or SOAP web service protocols for security reasons - there may be possible workarounds but these would probably be insecure so not recommended

The changelog is below

Enforced POST for authentication parameters when using REST webservice protocol

Also a new security check has been introduced to alert site administrators when XML-RPC or SOAP web service protocols are enabled, as these are considered insecure.

If legacy web services are still required, the REST protocol is the recommended option. However, please note that web services are no longer actively maintained and will eventually be deprecated and removed. For new integrations, it is strongly recommended to use the external API.

Regards

 
Enlace permanente | Mostrar mensaje anterior | Responder
Natalia Kurikova
Re: POST authentication when using webservices - TL-42916
de Natalia Kurikova - Tuesday, 26 de August de 2025, 18:09
Grupo Helpful contributor 2024Grupo Learn Site AdministratorGrupo Most helpful contributor 2023

Hi Craig

Thanks for your prompt reply.

I totally understand the security reasoning behind the change, but it’s caused quite a bit of disruption on our side. It immediately broke one of our integrations and we’ll now need to scramble (and pay) for urgent dev work to get things working again.

Is there any chance of a temporary option (e.g. a setting to toggle enforcing POST for authentication parameters) so we can buy some time to properly migrate?

It would also really help if breaking changes like this were clearly communicated (perhaps directly from Totara or via Totara partners), with a migration pathway provided, so we’re not left scrambling when they go live.

 
Enlace permanente | Mostrar mensaje anterior | Responder
Craig Eves
Re: POST authentication when using webservices - TL-42916
de Craig Eves (Totara Support) - Tuesday, 26 de August de 2025, 19:20
 

Hi Natalia

Sorry that this breaking change was unexpectedly applied, in theory this shouldn't have happened .

What version do you have of Totara?

I am asking a developer on a possible way to buy more time - from the development ticket it looks like there may be a configuration option to revert this

regards


 
Enlace permanente | Mostrar mensaje anterior | Responder
Craig Eves
Re: POST authentication when using webservices - TL-42916
de Craig Eves (Totara Support) - Tuesday, 26 de August de 2025, 19:53
 

Hi Natalia

If a site needs the previous behaviour, set $CFG->revert_TL_42916_until_t20 = 1; in config.php to temporarily revert this fix.

This is being added to the changelog for the ticket

Regards

 
Enlace permanente | Mostrar mensaje anterior | Responder
Natalia Kurikova
Re: POST authentication when using webservices - TL-42916
de Natalia Kurikova - Tuesday, 26 de August de 2025, 21:15
Grupo Helpful contributor 2024Grupo Learn Site AdministratorGrupo Most helpful contributor 2023

Hi Craig

Thanks for getting back so quickly.

We’re on Totara 19.0.7 from last week, and that’s when we started seeing the issue. Good to know there’s a config option to temporarily revert the change - that should help us buy some time.

I really appreciate you checking with the developers on this and finding this option for us. Thanks for your help.

Regards

Natalia

 
Enlace permanente | Mostrar mensaje anterior | Responder
Jason R
Re: POST authentication when using webservices - TL-42916
de Jason R - Thursday, 26 de February de 2026, 19:04
 

Hi Craig,

If we are using SOAP web service, do we still continue to use https://WWWROOT/webservice/soap/server.php?wstoken=EXAMPLETOKEN

When you say "it is strongly recommended to use the external API" - which APIs are these? Please can you point me to them.

Thank you

 
Enlace permanente | Mostrar mensaje anterior | Responder