Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64152

LTI v1: provider under reverse proxy can result in signature verification error

XMLWordPrintable

    • MOODLE_34_STABLE, MOODLE_400_STABLE, MOODLE_401_STABLE
    • MOODLE_401_STABLE, MOODLE_402_STABLE
    • MDL-64152-401
    • MDL-64152-master
    • Moderate
    • Hide

      Prerequisites:

      1. Working ngrok (https://ngrok.com) setup. I.e. you can expose a site via:

        ngrok http --region=xx 80 
        

        where region is the region code applicable to your area.
        You'll need $CFG->wwwroot set to NGROK_URL/yoursitepath and will also need to set $CFG->sslproxy = true;

      2. Working expose (https://expose.dev) setup. I.e. you can expose a site via:

        expose share http://localhost
        

        You'll need $CFG->wwwroot set to EXPOSE_URL/yoursitepath and will also need to set $CFG->sslproxy = true; and $CFG->reverseproxy = true;

      Moodle site setup and testing:

      1. Set up 2 Moodle sites: one called 'platform', one called 'tool'
      2. Run the expose and ngrok commands explained in the prerequisites
      3. In the tool site's config.php, make the changes for exposed
      4. In the platform site's config.php, make the changes for ngrok
      5. Login to the tool site as the admin
      6. Enable enrol_lti and auth_lti plugins
      7. Create a course
      8. Create an assignment
      9. Go to "Course navigation > More > Published as LTI tools"
      10. Select the "Legacy LTI" tab
      11. Click the button to publish something
      12. Select the assignment from the select menu and leave everything else defaulted
      13. Save
      14. Copy the "Launch URL" and "Secret" to a notepad or something like that (for later use)
      15. Now, log out
      16. Log in the to the platform site as the admin
      17. Create a course
      18. Click to add a new External tool activity
      19. Click "Show more" and then set the following form data:
        • Name: "Proxy test"
        • Tool URL: <paste the Launch URL>
        • Consumer Key: "testconsumer"
        • Shared secret: <paste the Secret>
        • Launch container "New window"
      20. Save and return to course
      21. Launch the tool
      22. Verify a new window opens and you're taken to the assignment landing page
      Show
      Prerequisites: Working ngrok ( https://ngrok.com ) setup. I.e. you can expose a site via: ngrok http --region=xx 80 where region is the region code applicable to your area. You'll need $CFG->wwwroot set to NGROK_URL/yoursitepath and will also need to set $CFG->sslproxy = true; Working expose ( https://expose.dev ) setup. I.e. you can expose a site via: expose share http://localhost You'll need $CFG->wwwroot set to EXPOSE_URL/yoursitepath and will also need to set $CFG->sslproxy = true; and $CFG->reverseproxy = true; Moodle site setup and testing: Set up 2 Moodle sites: one called 'platform', one called 'tool' Run the expose and ngrok commands explained in the prerequisites In the tool site's config.php, make the changes for exposed In the platform site's config.php, make the changes for ngrok Login to the tool site as the admin Enable enrol_lti and auth_lti plugins Create a course Create an assignment Go to "Course navigation > More > Published as LTI tools" Select the "Legacy LTI" tab Click the button to publish something Select the assignment from the select menu and leave everything else defaulted Save Copy the "Launch URL" and "Secret" to a notepad or something like that (for later use) Now, log out Log in the to the platform site as the admin Create a course Click to add a new External tool activity Click "Show more" and then set the following form data: Name: "Proxy test" Tool URL: <paste the Launch URL> Consumer Key: "testconsumer" Shared secret: <paste the Secret> Launch container "New window" Save and return to course Launch the tool Verify a new window opens and you're taken to the assignment landing page
    • 6

      Original description

      I tried to jump from a Moodle 3.4.5 (say A, or LTI client) to another instance Moodle 3.4.5 (say B, or LTI provider) via LTI v1, after setting up all parameters for both instances I couldn't go from A to B because of this:

      File: lib/ltiprovider/src/OAuth/OAuthRequest.php
      Method: from_request()
      Line: 41

      rebuilds the LTI provider via the superglobal $_SERVER, using the keys HTTPS + SERVER_NAME + SERVER_PORT + REQUEST_URI. 

      In our case, since Moodle B works under a web proxy, the URL of the Moodle itself on B is not build properly (in our case, the port was not the default 443), so the `$base_string` contains a diferent web port from that received from the client, and resulting on different signatures (that from the client, and the $built from the LTI provider). The error shown on B is: "Debug error: Invalid signature"

      Moodle works ok under web proxy (like variables $ME, $FULLME), but not this LTI part.

      I overpassed this bug, debugging step by step, and setting the expected value on the LTI provider URL. Then, I found that our web proxy had a $_SERVER['HTTP_ORIGIN'] that contained the scheme + server + port parts properly configured, so made a local change on that, just to verify that this was the exact problem.

      To replicate

      A simple way to test this is to expose your localhost site under a reverse proxy and, more specifically, via a service which results in $_SERVER['SERVER_NAME'] being set to localhost. In my experience I wasn't able to use ngrok for this (at least not as the reverse proxy on the tool side). Despite being a reverse proxy, it'd result in that $_SERVER var being set to the publicly requested host (the ngrok URL), not localhost. I used expose.dev to replicate this on the tool side, because that does result in $_SERVER['SERVER_NAME'] being set to localhost.

      Prerequisites:

      1. Working ngrok (https://ngrok.com) setup. I.e. you can expose a site via:

        ngrok http --region=xx 80 
        

        where region is the region code applicable to your area.
        You'll need $CFG->wwwroot set to NGROK_URL/yoursitepath and will also need to set $CFG->sslproxy = true;

      1. Working expose (https://expose.dev) setup (the free account works fine). I.e. you can expose a site via:

        expose share http://localhost
        

        You'll need $CFG->wwwroot set to EXPOSE_URL/yoursitepath and will also need to set $CFG->sslproxy = true; and $CFG->reverseproxy = true;

      Moodle site setup and testing:

      1. Set up 2 Moodle sites: one called 'platform', one called 'tool'
      2. Run the expose and ngrok commands explained in the prerequisites
      3. In the tool site's config.php, make the changes for exposed
      4. In the platform site's config.php, make the changes for ngrok
      5. Login to the tool site as the admin
      6. Enable enrol_lti and auth_lti plugins
      7. Create a course
      8. Create an assignment
      9. Go to "Course navigation > More > Published as LTI tools"
      10. Select the "Legacy LTI" tab
      11. Click the button to publish something
      12. Select the assignment from the select menu and leave everything else defaulted
      13. Save
      14. Copy the "Launch URL" and "Secret" to a notepad or something like that (for later use)
      15. Now, log out
      16. Log in the to the platform site as the admin
      17. Create a course
      18. Click to add a new External tool activity
      19. Click "Show more" and then set the following form data:
        • Name: "Proxy test"
        • Tool URL: <paste the Launch URL>
        • Consumer Key: "testconsumer"
        • Shared secret: <paste the Secret>
        • Launch container "New window"
      20. Save and return to course
      21. Launch the tool
        Expected A new window opens and you're taken to the assignment landing page
        Actual A new window opens and you see an error: "An error occurred when launching the external tool:Debug error: Invalid signature"

            jaked Jake Dallimore
            jpahullo Jordi Pujol-Ahulló
            Jordi Pujol-Ahulló Jordi Pujol-Ahulló
            Andrew Lyons Andrew Lyons
            Kim Jared Lucas Kim Jared Lucas
            Votes:
            11 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 6 hours, 10 minutes
                6h 10m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.