Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68384

Misspelled claims and attributes in LTI 1.3 JWT

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      pre-requisite

      1. LTI Advantage requires your site to be reachable from the internet. If not, Install ngrok to expose your moodle setup externally. Refer here for additional guidelines
      2. Have a course with an instructor.
      3. As admin install the LTI Robotest test app using the instructions found at https://robotest.theedtech.dev
      4. Tool configuration usage: Show in activity chooser and as preconfigured tool

      Test: custom parameters and url are saved when adding links using deep linking

      1. Enter a course as instructor
      2. Turn editing on
      3. Add external activity, choose Robotest app
      4. Open Developer Tools in browser, and select network tab
      5. Back on the mod edit page - Click Select Content
      6. On the network tab locate the POST request to https://robotest.theedtech.dev/oidc/launch
        1. Copy the post parameter id_token value
      7. Open https://jwt.io and scroll to then encoded box, and paste the id_token value there. The decoded version of the JWT is shown on the right.
      8. Verify the deep linking settings are passed as boolean, not string
        1. "accept_copy_advice": false,
          "accept_multiple": false, (true if MDL-67473 has been integrated)
          "accept_unsigned": false,
          "auto_create": false,
          "can_confirm": false
      9. Select Graded link
      10. Once back on the External Tool edit page, select Save and Display
      11. In the network tab, locate the latest POST request to https://robotest.theedtech.dev/oidc/launch
      12. Copy the id_token value and paste in jwt.io encoded section
      13. Verify the presence of the basic outcome claim: (search for this -) https://purl.imsglobal.org/spec/lti-bo/claim/basicoutcome
      14. Verify product_family_code is in the payload too, with a value of moodle
      Show
      pre-requisite LTI Advantage requires your site to be reachable from the internet. If not, Install ngrok to expose your moodle setup externally. Refer here for additional guidelines Have a course with an instructor. As admin install the LTI Robotest test app using the instructions found at https://robotest.theedtech.dev Tool configuration usage: Show in activity chooser and as preconfigured tool Test: custom parameters and url are saved when adding links using deep linking Enter a course as instructor Turn editing on Add external activity, choose Robotest app Open Developer Tools in browser, and select network tab Back on the mod edit page - Click Select Content On the network tab locate the POST request to https://robotest.theedtech.dev/oidc/launch Copy the post parameter id_token value Open https://jwt.io and scroll to then encoded box, and paste the id_token value there. The decoded version of the JWT is shown on the right. Verify the deep linking settings are passed as boolean, not string "accept_copy_advice": false, "accept_multiple": false, (true if MDL-67473 has been integrated) "accept_unsigned": false, "auto_create": false, "can_confirm": false Select Graded link Once back on the External Tool edit page, select Save and Display In the network tab, locate the latest POST request to https://robotest.theedtech.dev/oidc/launch Copy the id_token value and paste in jwt.io encoded section Verify the presence of the basic outcome claim: (search for this -) https://purl.imsglobal.org/spec/lti-bo/claim/basicoutcome Verify product_family_code is in the payload too, with a value of moodle
    • Affected Branches:
      MOODLE_38_STABLE
    • Fixed Branches:
      MOODLE_39_STABLE
    • Pull from Repository:
    • Pull 3.9 Branch:
      MDL-68384-fix-spec-violations-39
    • Pull 3.10 Branch:
      MDL-68384-fix-spec-violations-310
    • Pull Master Branch:
      MDL-68384-fix-spec-violations

      Description

       

      In the JWT sent to a Tool during LTI 1.3 resource link launch, the following claims / attributes have names that do not match the LtI 1.3 specification:

      Claim  

      https://purl.imsglobal.org/spec/lti-bos/claim/basicoutcomesservice
      

      according to LTI specs (see https://www.imsglobal.org/spec/lti-bo/v1p1#integration-with-lti-1-3) should be spelled as 

      https://purl.imsglobal.org/spec/lti-bo/claim/basicoutcome
      

       

      In the claim

      https://purl.imsglobal.org/spec/lti/claim/tool_platform
      

      correct spelling of the platform family code attribute is 

      product_family_code
      

      not 

      family_code
      

      see https://www.imsglobal.org/spec/lti/v1p3#platform-instance-claim-0 for details.

       Also:

      • Boolean deep Linking settings (accept_multiple, autocreate and other non standardized accept_..) are sent as string, not boolean

        Attachments

        1. MDL-68384-test-1.png
          MDL-68384-test-1.png
          218 kB
        2. MDL-68384-test-2.png
          MDL-68384-test-2.png
          276 kB
        3. MDL-68384-test-3.png
          MDL-68384-test-3.png
          252 kB

          Activity

            People

            Assignee:
            claudevervoort Claude Vervoort
            Reporter:
            dkozlov Dmitri Kozlov
            Peer reviewer:
            Peter Dias
            Integrator:
            Adrian Greeve
            Tester:
            Mihail Geshoski
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              9/Nov/20

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours, 30 minutes
                4h 30m