-
Bug
-
Resolution: Fixed
-
Major
-
3.4.5, 4.0.6, 4.1.1
-
6
Original description
I tried to jump from a Moodle 3.4.5 (say A, or LTI client) to another instance Moodle 3.4.5 (say B, or LTI provider) via LTI v1, after setting up all parameters for both instances I couldn't go from A to B because of this:
File: lib/ltiprovider/src/OAuth/OAuthRequest.php
Method: from_request()
Line: 41
rebuilds the LTI provider via the superglobal $_SERVER, using the keys HTTPS + SERVER_NAME + SERVER_PORT + REQUEST_URI.
In our case, since Moodle B works under a web proxy, the URL of the Moodle itself on B is not build properly (in our case, the port was not the default 443), so the `$base_string` contains a diferent web port from that received from the client, and resulting on different signatures (that from the client, and the $built from the LTI provider). The error shown on B is: "Debug error: Invalid signature"
Moodle works ok under web proxy (like variables $ME, $FULLME), but not this LTI part.
I overpassed this bug, debugging step by step, and setting the expected value on the LTI provider URL. Then, I found that our web proxy had a $_SERVER['HTTP_ORIGIN'] that contained the scheme + server + port parts properly configured, so made a local change on that, just to verify that this was the exact problem.
To replicate
A simple way to test this is to expose your localhost site under a reverse proxy and, more specifically, via a service which results in $_SERVER['SERVER_NAME'] being set to localhost. In my experience I wasn't able to use ngrok for this (at least not as the reverse proxy on the tool side). Despite being a reverse proxy, it'd result in that $_SERVER var being set to the publicly requested host (the ngrok URL), not localhost. I used expose.dev to replicate this on the tool side, because that does result in $_SERVER['SERVER_NAME'] being set to localhost.
Prerequisites:
- Working ngrok (https://ngrok.com) setup. I.e. you can expose a site via:
ngrok http --region=xx 80
where region is the region code applicable to your area.
You'll need $CFG->wwwroot set to NGROK_URL/yoursitepath and will also need to set $CFG->sslproxy = true;
- Working expose (https://expose.dev) setup (the free account works fine). I.e. you can expose a site via:
expose share http://localhost
You'll need $CFG->wwwroot set to EXPOSE_URL/yoursitepath and will also need to set $CFG->sslproxy = true; and $CFG->reverseproxy = true;
Moodle site setup and testing:
- Set up 2 Moodle sites: one called 'platform', one called 'tool'
- Run the expose and ngrok commands explained in the prerequisites
- In the tool site's config.php, make the changes for exposed
- In the platform site's config.php, make the changes for ngrok
- Login to the tool site as the admin
- Enable enrol_lti and auth_lti plugins
- Create a course
- Create an assignment
- Go to "Course navigation > More > Published as LTI tools"
- Select the "Legacy LTI" tab
- Click the button to publish something
- Select the assignment from the select menu and leave everything else defaulted
- Save
- Copy the "Launch URL" and "Secret" to a notepad or something like that (for later use)
- Now, log out
- Log in the to the platform site as the admin
- Create a course
- Click to add a new External tool activity
- Click "Show more" and then set the following form data:
- Name: "Proxy test"
- Tool URL: <paste the Launch URL>
- Consumer Key: "testconsumer"
- Shared secret: <paste the Secret>
- Launch container "New window"
- Save and return to course
- Launch the tool
Expected A new window opens and you're taken to the assignment landing page
Actual A new window opens and you see an error: "An error occurred when launching the external tool:Debug error: Invalid signature"
- has a non-specific relationship to
-
MDL-75069 User Agent is not set for every HTTP request
- Closed