[MDL-77077] firebase/php-jwt upgrade introduced dependency on 'alg' in JWKS - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 4.0.6, 4.1.1
Fix Version/s: 4.0.7, 4.1.2
Component/s: External Tool (IMS-LTI)
Labels:

Affected Branches:
MOODLE_400_STABLE, MOODLE_401_STABLE
Fixed Branches:
MOODLE_400_STABLE, MOODLE_401_STABLE
Pull from Repository:
https://github.com/snake/moodle
Pull 4.0 Branch:
~~MDL-77077~~-400
Pull 4.0 Diff URL:
https://github.com/snake/moodle/compare/f5ec0df5d5a...MDL-77077-400
Pull 4.1 Branch:
~~MDL-77077~~-401
Pull 4.1 Diff URL:
https://github.com/snake/moodle/compare/67bbf6c4160...MDL-77077-401
Pull Master Branch:
~~MDL-77077~~-master
Pull Master Diff URL:
https://github.com/snake/moodle/compare/880462a1685...MDL-77077-master

Testing Instructions:

Hide

Testing prerequisites (tool-platform setup)

You need two Moodle sites (localhost is fine but please make sure both are http to avoid known browser cookie issues) - one called 'platform' and one called 'tool'
In the tool site admin settings:
- Enable enrol_lti and auth_lti plugins
  - For enrol, go to Site admin > Plugins > Enrolment plugins > Manage enrolment plugins
  - For auth, go to Site admin > Plugins > Authentication plugins > Manage authentication plugins
- Enable "Allow frame embedding"
In BOTH sites:
- Go to "Administration > Security > HTTP security" and clear all values from the 'curlsecurityblockedhosts' admin setting and save (to permit localhost-to-localhost calls)
Now, in the tool site, go to "Admin > Plugins > Enrolment plugins > Publish as LTI tool > Tool registration
Generate a new dynamic registation URL by clicking the button
Copy the URL using the copy to clipboard feature
Now, in the platform site, login as admin
Go to "Admin > Plugins > Activities > External tool > Manage tools"
Paste the dynamic registration URL you copied into the text field and click "Add LTI Advantage". You should now see a tool card.
Activate the preconfigured tool using the button on the tool card.
Change the name of this tool to "Moodle tool" and save.

Testing

In an editor of your choice, edit the tool site's lib/lti1p3/src/JwksEndpoint.php, commenting out the 'alg' line in getPublicJWKS here: https://github.com/moodle/moodle/blob/6c0ffde138f33490e8f9a34d7d9a60bbbaa71e93/lib/lti1p3/src/JwksEndpoint.php#L43
e.g.

...

 $components = [

    'kty' => 'RSA',

    //'alg' => 'RS256',

    'use' => 'sig',

    'e' => JWT::urlsafeB64Encode($key_details['rsa']['e']),

    'n' => JWT::urlsafeB64Encode($key_details['rsa']['n']),

    'kid' => $kid,

];

...

In the tool site, create a course with an assignment
In Course -> Published as LTI tools, publish the assignment over LTI Advantage
Log out of the tool
Log in to the platform site
Purge caches (since the JWKS vals are cached)
Go to a course
Click to add an activity or resource
Select "External tool"
From the select menu, pick the "Moodle tool" tool
click "Select content"
Proceed through any prompts to link logins, relaunching the content selection when you're done.
Pick the assignment you published earlier and click "Add content"
Verify you see a confirmation message pop up briefly and that you're taken back to the module edit form, which has now had its module name updated successfully

Show

Testing prerequisites (tool-platform setup) You need two Moodle sites (localhost is fine but please make sure both are http to avoid known browser cookie issues) - one called 'platform' and one called 'tool' In the tool site admin settings: Enable enrol_lti and auth_lti plugins For enrol, go to Site admin > Plugins > Enrolment plugins > Manage enrolment plugins For auth, go to Site admin > Plugins > Authentication plugins > Manage authentication plugins Enable "Allow frame embedding" In BOTH sites: Go to "Administration > Security > HTTP security" and clear all values from the 'curlsecurityblockedhosts' admin setting and save (to permit localhost-to-localhost calls) Now, in the tool site, go to "Admin > Plugins > Enrolment plugins > Publish as LTI tool > Tool registration Generate a new dynamic registation URL by clicking the button Copy the URL using the copy to clipboard feature Now, in the platform site, login as admin Go to "Admin > Plugins > Activities > External tool > Manage tools" Paste the dynamic registration URL you copied into the text field and click "Add LTI Advantage". You should now see a tool card. Activate the preconfigured tool using the button on the tool card. Change the name of this tool to "Moodle tool" and save. Testing In an editor of your choice, edit the tool site's lib/lti1p3/src/JwksEndpoint.php, commenting out the 'alg' line in getPublicJWKS here: https://github.com/moodle/moodle/blob/6c0ffde138f33490e8f9a34d7d9a60bbbaa71e93/lib/lti1p3/src/JwksEndpoint.php#L43 e.g. ... $components = [ 'kty' => 'RSA', //'alg' => 'RS256', 'use' => 'sig', 'e' => JWT::urlsafeB64Encode($key_details['rsa']['e']), 'n' => JWT::urlsafeB64Encode($key_details['rsa']['n']), 'kid' => $kid, ]; ... In the tool site, create a course with an assignment In Course -> Published as LTI tools, publish the assignment over LTI Advantage Log out of the tool Log in to the platform site Purge caches (since the JWKS vals are cached) Go to a course Click to add an activity or resource Select "External tool" From the select menu, pick the "Moodle tool" tool click "Select content" Proceed through any prompts to link logins, relaunching the content selection when you're done. Pick the assignment you published earlier and click "Add content" Verify you see a confirmation message pop up briefly and that you're taken back to the module edit form, which has now had its module name updated successfully

Story Points:
2
Sprint:
Team Hedgehog Sprint 1 review

Description

Issue

firebase/php-jwt 6 made 'alg' a required property, and this causes some issue when tools don't provide this in their JWKS.

Replication steps

We'll use a local moodle tool provider to replicate this. In reality, any tool omitting the JWKS 'alg' property will result in the same failure.

Set up 2 local Moodle sites - one platform, one tool
In the tool codebase, edit lib/lti1p3/src/JwksEndpoint.php, commenting out the 'alg' line in getPublicJWKS here: https://github.com/moodle/moodle/blob/6c0ffde138f33490e8f9a34d7d9a60bbbaa71e93/lib/lti1p3/src/JwksEndpoint.php#L43
See https://docs.moodle.org/401/en/Publish_as_LTI_tool to register the tool site with the platform. At the end of this process you should have registered the tool with the platform and have a new preconfigured tool in the platform site admin.
In the tool site, create a course with an assignment
In Course -> Published as LTI tools, publish the assignment over LTI Advantage
Now, log into the platform site and go to a course
Click to add a new activity and select the External tool you created in 2.
Select "Add content" and proceed through any login linking process
Select the assignment you published in 5.
Click "Add content"
Expected: the content item message is returned without an error
Actual: You'll see the error "Exception - JWK must contain an "alg" parameter"

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

400.gif
165 kB
01/Feb/23 11:07 AM
401.gif
209 kB
01/Feb/23 11:07 AM
lit_content_loaded_into_platform_site.png
141 kB
31/Jan/23 12:42 PM
master.gif
570 kB
01/Feb/23 11:07 AM
units_tests_pass.png
49 kB
31/Jan/23 12:42 PM

Issue Links

is a regression caused by

MDL-71712 Upgrade PHP-JWT to latest version

Closed

Activity

People

Assignee:: Jake Dallimore

Reporter:: Jake Dallimore

Peer reviewer:: David Woloszyn

Integrator:: Ilya Tregubov

Tester:: Ron Carl Alfon Yu

Participants:: CiBoT, David Woloszyn, Ilya Tregubov, Jake Dallimore, Ron Carl Alfon Yu

Component watchers:: Jake Dallimore, Ilya Tregubov, Kevin Percy, Mathew May, Mihail Geshoski, Shamim Rezaie

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 30/Jan/23 9:40 AM

Updated:: 03/Feb/23 6:04 PM

Resolved:: 03/Feb/23 6:04 PM

Fix Release Date:: 13/Mar/23

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1d 2h 1m