-
Bug
-
Resolution: Fixed
-
Major
-
4.0.1
-
MOODLE_400_STABLE
-
MOODLE_400_STABLE
-
MDL-74699-master -
-
1
-
4.1 holding pattern 2
During a launch, if the JWT contains an array of aud values, the first value is taken as the client_id by the library:
https://github.com/moodle/moodle/blob/master/lib/lti1p3/src/LtiMessageLaunch.php#L389
When we're dealing with the client_id outside of the library code, such as when we process the raw launch data (jwt) in the service code, we don't do this. We need to make the same kind of call in other code which is reliant on client_id otherwise we risk sending an array value for client_id to the constructor of application_registration_repository::find_by_platform() instead of a string value.
A string value is acceptable when there's just a single aud (https://www.imsglobal.org/spec/security/v1p1#id-token), otherwise we need to fetch clientid from the first array element, just like in the library code. So we can have either:
[aud]
[aud, aud2]
"aud"
If aud is an array, you can see the launch stack trace here: