Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66920

LTI 1.3: Allow tool to use JWKS URI rather than Public Key

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Prerequisite

      Note: This test is using ZTest but any other LTI 1.3 test tool allowing to supports Deep Linking and API Call and both public key and key set URL can be used.

      1. Site is configured with at least one course and one instructor
      2. As LTI 1.3 launches require to access to the platform public key set, the moodle instance must be reachable from the internet. Consider using ngrok (https://ngrok.com). and update config.php

        ./ngrok http 80
        

      Installing ZTest with Public RSA Key (existing functionality)

      We first install ZTest using a fixed public key, as was done in prior versions of Moodle.
      1. ZTest tool 1.3 is installed as a site external tool:
        1. Log in as an administrator
        2. Navigate to Site Administration > Plugins > External tool > Manage tools
        3. Click on configure a tool manually
        4. Fill the form as follow:
          1. Tool name: ZTest 1.3
          2. Tool url: https://ztest.cengage.info/ztest/lti
        5. LTI Version: LTI 1.3
        6. Choose Public Key Type: RSA Key
        7. Public key: copy the value from https://ztest.cengage.info/ztest/ LTI 1.3 Connect info tab
        8. Initiate Login URI: https://ztest.cengage.info/ztest/ws/lti/startlaunch?lti13=true&client_id=CLIENT_ID_HERE&platform=moodle
        9. Redirect URI: https://ztest.cengage.info/ztest/lti13
        10. Click on ‘Show more’
        11. Check Content-Item message
        12. Change the 'Privacy' setting ‘Accept grades from the tool’ to 'Delegate to Teacher'.
        13. In Services, IMS LTI Assignment and Grade Services, choose Use this service for grade and column mgmt
        14. Save changes.
        15. Once the tool is created, click the information icon (pie icon) and copy the client id
        16. Update the initiate login URI and replace CLIENT_ID_HERE with the client id value for that tool

      Verifying Deep Linking and API Calls are working

      Now that we have installed ZTest with Public RSA Key, we will verify the operations that are using that key, those are the operations where Moodle receive data from the tool and need to verify the data using the public key provided by the tool. Later, we will change the tool to key set URL and verify those operations are still functioning.
      1. As instructor, log to a course
      2. Turn editing ON
      3. Click Add an activity or resource and select external tool
      4. On the Add external tool page, select ZTest 13 tool for preconfigured tool
      5. Click on Select Content
      6. In the modal:
        1. Click content-item button
      7. Click on Select Content
      8. In the modal:
        1. Click on pie icon and select content-item
        2. Select Assignment and set points possible to 50
        3. Click Submit button
      9. Verify Deep Linking worked:
        1. there are no error displayed on return
        2. The title for the link has been updated
        3. Grade section is visible
        4. Expand the grade section
        5. Maximum Score: 50
        6. Save and display
        7. ZTest is launching
      10. Verify API can be called
        1. In the PIE menu select AnyCall
        2. In that Tab select get line items, this will populate the fields necessary to call that API
        3. press send
        4. Verify 200, this means the tool successfully acquired an access token

      Switch to key set url

      We will now switch to using the public key set url rather than a fixed key, and verify the operations using the tool's public key are still functional.

      1. Log in as an administrator
      2. Navigate to Site Administration > Plugins > External tool > Manage tools
      3. Edit ZTest:
        1. Public Key Type: Keyset URL
        2. Public keyset: https://ztest.cengage.info/ztest/lti/jwks.json
        3. Save
      4. Repeat the Verifying Deep Linking and API test and verify it still passes.
      Show
      Prerequisite Note: This test is using ZTest but any other LTI 1.3 test tool allowing to supports Deep Linking and API Call and both public key and key set URL can be used. Site is configured with at least one course and one instructor As LTI 1.3 launches require to access to the platform public key set, the moodle instance must be reachable from the internet. Consider using ngrok ( https://ngrok.com). and update config.php ./ngrok http 80 Installing ZTest with Public RSA Key (existing functionality) We first install ZTest using a fixed public key, as was done in prior versions of Moodle. ZTest tool 1.3 is installed as a site external tool: Log in as an administrator Navigate to Site Administration > Plugins > External tool > Manage tools Click on configure a tool manually Fill the form as follow: Tool name: ZTest 1.3 Tool url: https://ztest.cengage.info/ztest/lti LTI Version: LTI 1.3 Choose Public Key Type: RSA Key Public key: copy the value from https://ztest.cengage.info/ztest/ LTI 1.3 Connect info tab Initiate Login URI: https://ztest.cengage.info/ztest/ws/lti/startlaunch?lti13=true&client_id=CLIENT_ID_HERE&platform=moodle Redirect URI: https://ztest.cengage.info/ztest/lti13 Click on ‘Show more’ Check Content-Item message Change the 'Privacy' setting ‘Accept grades from the tool’ to 'Delegate to Teacher'. In Services, IMS LTI Assignment and Grade Services, choose Use this service for grade and column mgmt Save changes. Once the tool is created, click the information icon (pie icon) and copy the client id Update the initiate login URI and replace CLIENT_ID_HERE with the client id value for that tool Verifying Deep Linking and API Calls are working Now that we have installed ZTest with Public RSA Key, we will verify the operations that are using that key, those are the operations where Moodle receive data from the tool and need to verify the data using the public key provided by the tool. Later, we will change the tool to key set URL and verify those operations are still functioning. As instructor, log to a course Turn editing ON Click Add an activity or resource and select external tool On the Add external tool page, select ZTest 13 tool for preconfigured tool Click on Select Content In the modal: Click content-item button Click on Select Content In the modal: Click on pie icon and select content-item Select Assignment and set points possible to 50 Click Submit button Verify Deep Linking worked: there are no error displayed on return The title for the link has been updated Grade section is visible Expand the grade section Maximum Score: 50 Save and display ZTest is launching Verify API can be called In the PIE menu select AnyCall In that Tab select get line items, this will populate the fields necessary to call that API press send Verify 200, this means the tool successfully acquired an access token Switch to key set url We will now switch to using the public key set url rather than a fixed key, and verify the operations using the tool's public key are still functional. Log in as an administrator Navigate to Site Administration > Plugins > External tool > Manage tools Edit ZTest: Public Key Type: Keyset URL Public keyset: https://ztest.cengage.info/ztest/lti/jwks.json Save Repeat the Verifying Deep Linking and API test and verify it still passes.
    • Affected Branches:
      MOODLE_37_STABLE
    • Fixed Branches:
      MOODLE_39_STABLE
    • Pull from Repository:
    • Pull Master Branch:

      Description

      Moodle must know the tool public key in order to verify tool originating requests (token/deep linking return).

      The current registration allows a tool to copy/paste its public key in PEM format. This is a bit cumbersome to exchange and, more importantly, makes the ability for the tool to rotate its keys a difficult proposition.

      Rather, it is more and more common for a tool to expose a JSON Webkey Set URL that exposes its public keys. This is identical to how Moodle exposes its public key to tools.

      AC:

      • As an admin, I want to have the option enter a tool JWKS Url in place of an actual public key

      Note:
      Moodle will rely on kid headers in JWT to identify which key to use in a keyset.
      Moodle will cache the keyset URL and only reload in case of cache miss (kid not in keyset)

        Attachments

        1. image-2020-04-22-09-43-07-957.png
          image-2020-04-22-09-43-07-957.png
          69 kB
        2. img1.png
          img1.png
          5 kB
        3. img2.png
          img2.png
          12 kB
        4. img3.png
          img3.png
          55 kB
        5. lit-error.txt
          5 kB
        6. Screenshot from 2020-01-29 18-17-16.png
          Screenshot from 2020-01-29 18-17-16.png
          182 kB
        7. Screenshot from 2020-02-06 21-27-53.png
          Screenshot from 2020-02-06 21-27-53.png
          195 kB
        8. Screenshot from 2020-04-16 09-16-50.png
          Screenshot from 2020-04-16 09-16-50.png
          120 kB

          Issue Links

            Activity

              People

              Assignee:
              claudevervoort Claude Vervoort
              Reporter:
              claudevervoort Claude Vervoort
              Peer reviewer:
              Mathew May
              Integrator:
              Adrian Greeve
              Tester:
              Janelle Barcega
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                15/Jun/20

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 3 hours, 44 minutes
                  1d 3h 44m