Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66920

LTI 1.3: Allow tool to use JWKS URI rather than Public Key

XMLWordPrintable

    • MOODLE_37_STABLE
    • MOODLE_39_STABLE
    • Hide

      Prerequisite

      Note: This test is using ZTest but any other LTI 1.3 test tool allowing to supports Deep Linking and API Call and both public key and key set URL can be used.

      1. Site is configured with at least one course and one instructor
      2. As LTI 1.3 launches require to access to the platform public key set, the moodle instance must be reachable from the internet. Consider using ngrok (https://ngrok.com). and update config.php

        ./ngrok http 80
        

      Installing ZTest with Public RSA Key (existing functionality)

      We first install ZTest using a fixed public key, as was done in prior versions of Moodle.
      1. ZTest tool 1.3 is installed as a site external tool:
        1. Log in as an administrator
        2. Navigate to Site Administration > Plugins > External tool > Manage tools
        3. Click on configure a tool manually
        4. Fill the form as follow:
          1. Tool name: ZTest 1.3
          2. Tool url: https://ztest.cengage.info/ztest/lti
        5. LTI Version: LTI 1.3
        6. Choose Public Key Type: RSA Key
        7. Public key: copy the value from https://ztest.cengage.info/ztest/ LTI 1.3 Connect info tab
        8. Initiate Login URI: https://ztest.cengage.info/ztest/ws/lti/startlaunch?lti13=true&client_id=CLIENT_ID_HERE&platform=moodle
        9. Redirect URI: https://ztest.cengage.info/ztest/lti13
        10. Click on ‘Show more’
        11. Check Content-Item message
        12. Change the 'Privacy' setting ‘Accept grades from the tool’ to 'Delegate to Teacher'.
        13. In Services, IMS LTI Assignment and Grade Services, choose Use this service for grade and column mgmt
        14. Save changes.
        15. Once the tool is created, click the information icon (pie icon) and copy the client id
        16. Update the initiate login URI and replace CLIENT_ID_HERE with the client id value for that tool

      Verifying Deep Linking and API Calls are working

      Now that we have installed ZTest with Public RSA Key, we will verify the operations that are using that key, those are the operations where Moodle receive data from the tool and need to verify the data using the public key provided by the tool. Later, we will change the tool to key set URL and verify those operations are still functioning.
      1. As instructor, log to a course
      2. Turn editing ON
      3. Click Add an activity or resource and select external tool
      4. On the Add external tool page, select ZTest 13 tool for preconfigured tool
      5. Click on Select Content
      6. In the modal:
        1. Click content-item button
      7. Click on Select Content
      8. In the modal:
        1. Click on pie icon and select content-item
        2. Select Assignment and set points possible to 50
        3. Click Submit button
      9. Verify Deep Linking worked:
        1. there are no error displayed on return
        2. The title for the link has been updated
        3. Grade section is visible
        4. Expand the grade section
        5. Maximum Score: 50
        6. Save and display
        7. ZTest is launching
      10. Verify API can be called
        1. In the PIE menu select AnyCall
        2. In that Tab select get line items, this will populate the fields necessary to call that API
        3. press send
        4. Verify 200, this means the tool successfully acquired an access token

      Switch to key set url

      We will now switch to using the public key set url rather than a fixed key, and verify the operations using the tool's public key are still functional.

      1. Log in as an administrator
      2. Navigate to Site Administration > Plugins > External tool > Manage tools
      3. Edit ZTest:
        1. Public Key Type: Keyset URL
        2. Public keyset: https://ztest.cengage.info/ztest/lti/jwks.json
        3. Save
      4. Repeat the Verifying Deep Linking and API test and verify it still passes.
      Show
      Prerequisite Note: This test is using ZTest but any other LTI 1.3 test tool allowing to supports Deep Linking and API Call and both public key and key set URL can be used. Site is configured with at least one course and one instructor As LTI 1.3 launches require to access to the platform public key set, the moodle instance must be reachable from the internet. Consider using ngrok ( https://ngrok.com). and update config.php ./ngrok http 80 Installing ZTest with Public RSA Key (existing functionality) We first install ZTest using a fixed public key, as was done in prior versions of Moodle. ZTest tool 1.3 is installed as a site external tool: Log in as an administrator Navigate to Site Administration > Plugins > External tool > Manage tools Click on configure a tool manually Fill the form as follow: Tool name: ZTest 1.3 Tool url: https://ztest.cengage.info/ztest/lti LTI Version: LTI 1.3 Choose Public Key Type: RSA Key Public key: copy the value from https://ztest.cengage.info/ztest/ LTI 1.3 Connect info tab Initiate Login URI: https://ztest.cengage.info/ztest/ws/lti/startlaunch?lti13=true&client_id=CLIENT_ID_HERE&platform=moodle Redirect URI: https://ztest.cengage.info/ztest/lti13 Click on ‘Show more’ Check Content-Item message Change the 'Privacy' setting ‘Accept grades from the tool’ to 'Delegate to Teacher'. In Services, IMS LTI Assignment and Grade Services, choose Use this service for grade and column mgmt Save changes. Once the tool is created, click the information icon (pie icon) and copy the client id Update the initiate login URI and replace CLIENT_ID_HERE with the client id value for that tool Verifying Deep Linking and API Calls are working Now that we have installed ZTest with Public RSA Key, we will verify the operations that are using that key, those are the operations where Moodle receive data from the tool and need to verify the data using the public key provided by the tool. Later, we will change the tool to key set URL and verify those operations are still functioning. As instructor, log to a course Turn editing ON Click Add an activity or resource and select external tool On the Add external tool page, select ZTest 13 tool for preconfigured tool Click on Select Content In the modal: Click content-item button Click on Select Content In the modal: Click on pie icon and select content-item Select Assignment and set points possible to 50 Click Submit button Verify Deep Linking worked: there are no error displayed on return The title for the link has been updated Grade section is visible Expand the grade section Maximum Score: 50 Save and display ZTest is launching Verify API can be called In the PIE menu select AnyCall In that Tab select get line items, this will populate the fields necessary to call that API press send Verify 200, this means the tool successfully acquired an access token Switch to key set url We will now switch to using the public key set url rather than a fixed key, and verify the operations using the tool's public key are still functional. Log in as an administrator Navigate to Site Administration > Plugins > External tool > Manage tools Edit ZTest: Public Key Type: Keyset URL Public keyset: https://ztest.cengage.info/ztest/lti/jwks.json Save Repeat the Verifying Deep Linking and API test and verify it still passes.

      Moodle must know the tool public key in order to verify tool originating requests (token/deep linking return).

      The current registration allows a tool to copy/paste its public key in PEM format. This is a bit cumbersome to exchange and, more importantly, makes the ability for the tool to rotate its keys a difficult proposition.

      Rather, it is more and more common for a tool to expose a JSON Webkey Set URL that exposes its public keys. This is identical to how Moodle exposes its public key to tools.

      AC:

      • As an admin, I want to have the option enter a tool JWKS Url in place of an actual public key

      Note:
      Moodle will rely on kid headers in JWT to identify which key to use in a keyset.
      Moodle will cache the keyset URL and only reload in case of cache miss (kid not in keyset)

        1. img1.png
          img1.png
          5 kB
        2. img2.png
          img2.png
          12 kB
        3. img3.png
          img3.png
          55 kB
        4. Screenshot from 2020-01-29 18-17-16.png
          Screenshot from 2020-01-29 18-17-16.png
          182 kB
        5. Screenshot from 2020-02-06 21-27-53.png
          Screenshot from 2020-02-06 21-27-53.png
          195 kB
        6. lit-error.txt
          5 kB
        7. Screenshot from 2020-04-16 09-16-50.png
          Screenshot from 2020-04-16 09-16-50.png
          120 kB
        8. image-2020-04-22-09-43-07-957.png
          image-2020-04-22-09-43-07-957.png
          69 kB

            claudevervoort Claude Vervoort
            claudevervoort Claude Vervoort
            Mathew May Mathew May
            Adrian Greeve Adrian Greeve
            Janelle Barcega Janelle Barcega
            Votes:
            1 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 3 hours, 44 minutes
                1d 3h 44m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.