Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-77077

firebase/php-jwt upgrade introduced dependency on 'alg' in JWKS

    XMLWordPrintable

Details

    • MOODLE_400_STABLE, MOODLE_401_STABLE
    • MOODLE_400_STABLE, MOODLE_401_STABLE
    • MDL-77077-401
    • MDL-77077-master
    • Hide

      Testing prerequisites (tool-platform setup)

      1. You need two Moodle sites (localhost is fine but please make sure both are http to avoid known browser cookie issues) - one called 'platform' and one called 'tool'
      2. In the tool site admin settings:
        • Enable enrol_lti and auth_lti plugins
          • For enrol, go to Site admin > Plugins > Enrolment plugins > Manage enrolment plugins
          • For auth, go to Site admin > Plugins > Authentication plugins > Manage authentication plugins
        • Enable "Allow frame embedding"
      3. In BOTH sites:
        • Go to "Administration > Security > HTTP security" and clear all values from the 'curlsecurityblockedhosts' admin setting and save (to permit localhost-to-localhost calls)
      4. Now, in the tool site, go to "Admin > Plugins > Enrolment plugins > Publish as LTI tool > Tool registration
      5. Generate a new dynamic registation URL by clicking the button
      6. Copy the URL using the copy to clipboard feature
      7. Now, in the platform site, login as admin
      8. Go to "Admin > Plugins > Activities > External tool > Manage tools"
      9. Paste the dynamic registration URL you copied into the text field and click "Add LTI Advantage". You should now see a tool card.
      10. Activate the preconfigured tool using the button on the tool card.
      11. Change the name of this tool to "Moodle tool" and save.

      Testing

      1. In an editor of your choice, edit the tool site's lib/lti1p3/src/JwksEndpoint.php, commenting out the 'alg' line in getPublicJWKS here: https://github.com/moodle/moodle/blob/6c0ffde138f33490e8f9a34d7d9a60bbbaa71e93/lib/lti1p3/src/JwksEndpoint.php#L43
        e.g.

         ...
         $components = [
            'kty' => 'RSA',
            //'alg' => 'RS256',
            'use' => 'sig',
            'e' => JWT::urlsafeB64Encode($key_details['rsa']['e']),
            'n' => JWT::urlsafeB64Encode($key_details['rsa']['n']),
            'kid' => $kid,
        ];
         ...
         

      2. In the tool site, create a course with an assignment
      3. In Course -> Published as LTI tools, publish the assignment over LTI Advantage
      4. Log out of the tool
      5. Log in to the platform site
      6. Purge caches (since the JWKS vals are cached)
      7. Go to a course
      8. Click to add an activity or resource
      9. Select "External tool"
      10. From the select menu, pick the "Moodle tool" tool
      11. click "Select content"
      12. Proceed through any prompts to link logins, relaunching the content selection when you're done.
      13. Pick the assignment you published earlier and click "Add content"
      14. Verify you see a confirmation message pop up briefly and that you're taken back to the module edit form, which has now had its module name updated successfully
      Show
      Testing prerequisites (tool-platform setup) You need two Moodle sites (localhost is fine but please make sure both are http to avoid known browser cookie issues) - one called 'platform' and one called 'tool' In the tool site admin settings: Enable enrol_lti and auth_lti plugins For enrol, go to Site admin > Plugins > Enrolment plugins > Manage enrolment plugins For auth, go to Site admin > Plugins > Authentication plugins > Manage authentication plugins Enable "Allow frame embedding" In BOTH sites: Go to "Administration > Security > HTTP security" and clear all values from the 'curlsecurityblockedhosts' admin setting and save (to permit localhost-to-localhost calls) Now, in the tool site, go to "Admin > Plugins > Enrolment plugins > Publish as LTI tool > Tool registration Generate a new dynamic registation URL by clicking the button Copy the URL using the copy to clipboard feature Now, in the platform site, login as admin Go to "Admin > Plugins > Activities > External tool > Manage tools" Paste the dynamic registration URL you copied into the text field and click "Add LTI Advantage". You should now see a tool card. Activate the preconfigured tool using the button on the tool card. Change the name of this tool to "Moodle tool" and save. Testing In an editor of your choice, edit the tool site's lib/lti1p3/src/JwksEndpoint.php, commenting out the 'alg' line in getPublicJWKS here: https://github.com/moodle/moodle/blob/6c0ffde138f33490e8f9a34d7d9a60bbbaa71e93/lib/lti1p3/src/JwksEndpoint.php#L43 e.g. ... $components = [ 'kty' => 'RSA', //'alg' => 'RS256', 'use' => 'sig', 'e' => JWT::urlsafeB64Encode($key_details['rsa']['e']), 'n' => JWT::urlsafeB64Encode($key_details['rsa']['n']), 'kid' => $kid, ]; ... In the tool site, create a course with an assignment In Course -> Published as LTI tools, publish the assignment over LTI Advantage Log out of the tool Log in to the platform site Purge caches (since the JWKS vals are cached) Go to a course Click to add an activity or resource Select "External tool" From the select menu, pick the "Moodle tool" tool click "Select content" Proceed through any prompts to link logins, relaunching the content selection when you're done. Pick the assignment you published earlier and click "Add content" Verify you see a confirmation message pop up briefly and that you're taken back to the module edit form, which has now had its module name updated successfully
    • 2
    • Team Hedgehog Sprint 1 review

    Description

      Issue

      firebase/php-jwt 6 made 'alg' a required property, and this causes some issue when tools don't provide this in their JWKS.

      Replication steps

      We'll use a local moodle tool provider to replicate this. In reality, any tool omitting the JWKS 'alg' property will result in the same failure.

      1. Set up 2 local Moodle sites  - one platform, one tool
      2. In the tool codebase, edit lib/lti1p3/src/JwksEndpoint.php, commenting out the 'alg' line in getPublicJWKS here: https://github.com/moodle/moodle/blob/6c0ffde138f33490e8f9a34d7d9a60bbbaa71e93/lib/lti1p3/src/JwksEndpoint.php#L43
      3. See https://docs.moodle.org/401/en/Publish_as_LTI_tool to register the tool site with the platform. At the end of this process you should have registered the tool with the platform and have a new preconfigured tool in the platform site admin.
      4. In the tool site, create a course with an assignment
      5. In Course -> Published as LTI tools, publish the assignment over LTI Advantage
      6. Now, log into the platform site and go to a course
      7. Click to add a new activity and select the External tool you created in 2.
      8. Select "Add content" and proceed through any login linking process
      9. Select the assignment you published in 5.
      10. Click "Add content"
        Expected:  the content item message is returned without an error
        Actual: You'll see the error "Exception - JWK must contain an "alg" parameter"

      Attachments

        1. 400.gif
          400.gif
          165 kB
        2. 401.gif
          401.gif
          209 kB
        3. lit_content_loaded_into_platform_site.png
          lit_content_loaded_into_platform_site.png
          141 kB
        4. master.gif
          master.gif
          570 kB
        5. units_tests_pass.png
          units_tests_pass.png
          49 kB

        Issue Links

          Activity

            People

              jaked Jake Dallimore
              jaked Jake Dallimore
              David Woloszyn David Woloszyn
              Ilya Tregubov Ilya Tregubov
              Ron Carl Alfon Yu Ron Carl Alfon Yu
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 2 hours, 1 minute
                  1d 2h 1m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.