[MDL-74699] Launch error when an array of aud values sent - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.0.1
Fix Version/s: 4.0.2
Component/s: LTI provider
Labels:
- ci
- hqteam_alpha
- triaged

Affected Branches:
MOODLE_400_STABLE
Fixed Branches:
MOODLE_400_STABLE
Epic Link:
LTI provider follow ups
Pull from Repository:
https://github.com/snake/moodle.git
Pull 4.0 Branch:
~~MDL-74699~~-400
Pull 4.0 Diff URL:
https://github.com/moodle/moodle/compare/ac9e395ed...snake:MDL-74699-400
Pull Master Branch:
~~MDL-74699~~-master
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/941a29925...snake:MDL-74699-master
Testing Instructions:

Hide

CiBot

Show
CiBot

Story Points:
1
Sprint:
4.1 holding pattern 2

Description

During a launch, if the JWT contains an array of aud values, the first value is taken as the client_id by the library:
https://github.com/moodle/moodle/blob/master/lib/lti1p3/src/LtiMessageLaunch.php#L389

When we're dealing with the client_id outside of the library code, such as when we process the raw launch data (jwt) in the service code, we don't do this. We need to make the same kind of call in other code which is reliant on client_id otherwise we risk sending an array value for client_id to the constructor of application_registration_repository::find_by_platform() instead of a string value.

A string value is acceptable when there's just a single aud (https://www.imsglobal.org/spec/security/v1p1#id-token), otherwise we need to fetch clientid from the first array element, just like in the library code. So we can have either:

[aud]
[aud, aud2]
"aud"

If aud is an array, you can see the launch stack trace here:

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

aud_array_stack_trace.png
63 kB
09/May/22 10:58 AM

Activity

People

Assignee:: Jake Dallimore

Reporter:: Jake Dallimore

Peer reviewer:: Mihail Geshoski

Integrator:: Shamim Rezaie

Tester:: CiBoT

Participants:: CiBoT, Jake Dallimore, Mihail Geshoski, Shamim Rezaie

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 09/May/22 10:56 AM

Updated:: 10/Jun/22 11:46 PM

Resolved:: 10/Jun/22 11:46 PM

Fix Release Date:: 11/Jul/22

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 36m