-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.1.2, 4.1.3, 4.2
-
MOODLE_401_STABLE, MOODLE_402_STABLE
Steps to reproduce & observed behaviour:
- Create a preconfigured LTI external tool by clicking 'configure a tool manually.', use e.g. https://saltire.lti.app/tool
- Add a new activity 'External tool' to a course, by selecting 'Automatic, based on tool URL' for Preconfigured Tool. Paste the same URL you used for the preconfigured tool, click 'Show more...' and enter some invalid secret (or key)
- After a click on 'Save and display' verify that the external tool is not displaying (due to invalid signature - wrong secret was used for hashing of base string).
Further notice that if you want to edit the settings for the tool, the preconfigured external tool is selected and you cannot recognize that there was a wrong secret (or key) used, except with javascript in the browser console (document.getElementById('id_password').value). 'Show more...' doesn't give you back the information used to create this instance. The user cannot undo his mistake by choosing a different preconfigured tool.
On several systems we had the problem that the users password manager was accidentally populating the hidden 'id_password' field with the users login password. Realising this raised serious security concerns on the side of our clients.
Expected behaviour:
- As pointed out in a previous issue, according to LTI spec, site wide secret and key should have priority:
"Basic launches can happen from the TC with any combination of TC-wide and link-level credentials including one or the other, both, or neither being present. When both are present the launch uses the TC-wide secret to sign the request." - The user should be able to see and change the wrong settings, potentially created without his knowledge by a password manager.
Workaround:
For an External tool instance which finds itself in this state, the process to remedy it is fairly simple:
- Edit the activity settings
- Change "Preconfigured tool" to "Automatic, based on tool URL"
- Enter the tool URL
- Save
Provided password autofill isn't filling the consumer key and secret (a bug resolved inMDL-76478), the tool will then be properly configured and will launch using the consumer key and secret defined on the site-level preconfigured tool.
- has a non-specific relationship to
-
MDL-53046 External Tool should prefer site-wide configured key/secret
- Closed