-
Improvement
-
Resolution: Fixed
-
Minor
-
3.7.2
-
MOODLE_37_STABLE
-
MOODLE_39_STABLE
-
Moodle must know the tool public key in order to verify tool originating requests (token/deep linking return).
The current registration allows a tool to copy/paste its public key in PEM format. This is a bit cumbersome to exchange and, more importantly, makes the ability for the tool to rotate its keys a difficult proposition.
Rather, it is more and more common for a tool to expose a JSON Webkey Set URL that exposes its public keys. This is identical to how Moodle exposes its public key to tools.
AC:
- As an admin, I want to have the option enter a tool JWKS Url in place of an actual public key
Note:
Moodle will rely on kid headers in JWT to identify which key to use in a keyset.
Moodle will cache the keyset URL and only reload in case of cache miss (kid not in keyset)