Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-78111

Sitewide secret and key should have priority

XMLWordPrintable

    • MOODLE_401_STABLE, MOODLE_402_STABLE

      Steps to reproduce & observed behaviour:

      1. Create a preconfigured LTI external tool by clicking 'configure a tool manually.', use e.g. https://saltire.lti.app/tool
      2. Add a new activity 'External tool' to a course, by selecting 'Automatic, based on tool URL' for Preconfigured Tool. Paste the same URL you used for the preconfigured tool, click 'Show more...' and enter some invalid secret (or key)
      3. After a click on 'Save and display' verify that the external tool is not displaying (due to invalid signature - wrong secret was used for hashing of base string).
        Further notice that if you want to edit the settings for the tool, the preconfigured external tool is selected and you cannot recognize that there was a wrong secret (or key) used, except with javascript in the browser console (document.getElementById('id_password').value). 'Show more...' doesn't give you back the information used to create this instance. The user cannot undo his mistake by choosing a different preconfigured tool.

      On several systems we had the problem that the users password manager was accidentally populating the hidden 'id_password' field with the users login password. Realising this raised serious security concerns on the side of our clients.

      Expected behaviour:

      1. As pointed out in a previous issue, according to LTI spec, site wide secret and key should have priority:
        "Basic launches can happen from the TC with any combination of TC-wide and link-level credentials including one or the other, both, or neither being present. When both are present the launch uses the TC-wide secret to sign the request."
      2. The user should be able to see and change the wrong settings, potentially created without his knowledge by a password manager.

      Workaround:

      For an External tool instance which finds itself in this state, the process to remedy it is fairly simple:

      1. Edit the activity settings
      2. Change "Preconfigured tool" to "Automatic, based on tool URL"
      3. Enter the tool URL
      4. Save
        Provided password autofill isn't filling the consumer key and secret (a bug resolved in MDL-76478), the tool will then be properly configured and will launch using the consumer key and secret defined on the site-level preconfigured tool.
         

        1. step1.PNG
          step1.PNG
          115 kB
        2. step2a.PNG
          step2a.PNG
          98 kB
        3. step2b.PNG
          step2b.PNG
          119 kB
        4. step3a.PNG
          step3a.PNG
          136 kB
        5. step3b.PNG
          step3b.PNG
          102 kB

            Unassigned Unassigned
            christopher.reimann Christopher Reimann
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.