Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-75980

/mod/lti/token.php better error handling for null keyset

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Minor
    • None
    • 3.9.17, 4.0.4
    • LTI External tool
    • MOODLE_39_STABLE, MOODLE_400_STABLE

    Description

      There appears to be a few cases where Firebase/JWT::parseKeySet in `mod/lti/locallib.php:lti_varify_with_keyset` will cause moodle to return a giant HTML with the exception, rather than a JSON error message. The HTML file it returns presents the following error:

      Exception - Argument 1 passed to Firebase\JWT\JWK::parseKeySet() must be of the type array, null given, called in [dirroot]/mod/lti/locallib.php on line 1372

      I believe that this refers to this line: https://github.com/moodle/moodle/blob/ac9e395ed6661fa76ba7e1d6a77e47631e88a9ca/mod/lti/locallib.php#L1372

      I am hosting a bitnami dockerised setup for testing (docker-compose.yml attached). For my locally hosted version (version: 2022041901.00), I am able to trigger this problem by providing an "exp" over 3 minutes in the past - see fudge-token-issue.py attached.

      I see two problems here:
      1. It is returning a giant HTML instead of an error message. (In contrast to what appears to be the intent: https://github.com/moodle/moodle/blob/ac9e395ed6661fa76ba7e1d6a77e47631e88a9ca/mod/lti/token.php#L70)
      2. The error message doesn't provide any useful information. The problem is with the "exp" key, not the keyset.

      What should it do?

      It should return a simple json with an error message like "Tool has no keyset".

      What else does it affect?

      If the tool or platform are misconfigured such that the platform cannot obtain the keyset for the tool, this route should, again, return a simple json with an error that explains this, not a HTML document.

      Attachments

        Activity

          People

            Unassigned Unassigned
            Multihuntr Brandon Victor
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Clockify

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.