Details
-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 3.8.1
-
Fix Version/s: None
-
Component/s: External Tool (IMS-LTI)
-
Labels:None
-
Affected Branches:MOODLE_38_STABLE
Description
When accessing the gradebook via LTI 1.1, an error message is returned, indicating that there was a problem verifying the message signature.
Sending a read result request to mod/lti/service.php/1234/lineitems returns
<?xml version="1.0" encoding="UTF-8"?>
<imsx_POXEnvelopeResponse xmlns="http://www.imsglobal.org/services/ltiv1p1/xsd/imsoms_v1p0">
<imsx_POXHeader>
<imsx_POXResponseHeaderInfo>
<imsx_version>V1.0</imsx_version>
<imsx_messageIdentifier>566912918</imsx_messageIdentifier>
<imsx_statusInfo>
<imsx_codeMajor>failure</imsx_codeMajor>
<imsx_severity>status</imsx_severity>
<imsx_description>Message signature not valid</imsx_description>
<imsx_messageRefIdentifier />
<imsx_operationRefIdentifier>unknownRequest</imsx_operationRefIdentifier>
</imsx_statusInfo>
</imsx_POXResponseHeaderInfo>
</imsx_POXHeader>
<imsx_POXBody>
<unknownResponse />
</imsx_POXBody>
</imsx_POXEnvelopeResponse>
Looking for the error message in the Moodle source yielded this code snippet in service.php:
if ($toolproxy !== false) {
$secrets = array($toolproxy->secret);
} else if (!empty($tool)) {
$secrets = array($typeconfig['password']);
} else {
$secrets = lti_get_shared_secrets_by_key($consumerkey);
}
$sharedsecret = lti_verify_message($consumerkey, lti_get_shared_secrets_by_key($consumerkey), $rawbody);
if ($sharedsecret === false) {
throw new Exception('Message signature not valid');
}
Obviously the variable $secrets is never used, but thrown away and another call to lti_verify_message is performed. Lacking a local test installation of Moodle, I do not know whether this is the cause of my original issue, but it does not look like this is intended.