Hi everyone , I am new in LTI 1.3 - tao ,so for me this a bit hard to understand how to embed this library into my tool. For LMS , I am using Moodle .
If is there any example code availble for this library use by a Tool based on PHP , If available for demo purpose Can someone please share me?
I just confued about the workflow . That example code maybe help me to understand the complete architecture.

Thanks in Advance ! @Cicatrice

+-------------------+----------------------------------------------------------------------------------+
| Package           | phpseclib/phpseclib                                                              |
| CVE               | CVE-2023-49316                                                                   |
| Title             | phpseclib vulnerable to denial of service                                        |
| URL               | https://github.com/advisories/GHSA-jpr7-q523-hx25                                |
| Affected versions | <3.0.34                                                                          |
| Reported at       | 2023-11-27T18:31:14+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Update to 3.0.34

Package php-http/message-factory is abandoned, you should avoid using it. Use psr/http-factory instead.

Hello, Is it possible to update this package 'lcobucci/jwt' to a newer version (^5.0) ?

codercat/jwk-to-pem must be at version 1.1 to fix GHSA-hm7p-r324-hhf3

version 1.1 will be installed if phpseclib is at version 3.*

I tried to make a pull request, but is seems my tests are failing because i'm running php 8.1.

Hi, I'm buidling LTI Platform using LTI Reference Implementation, during content selection, I redirected to login_initiations on lti-ri, then I click send post request and it bring me to my platform oidc init,
I try OidcAuthenticator and authenticate $request, but it fails with message

OIDC authentication failed: Argument 1 passed to OAT\Library\Lti1p3Core\Security\Jwt\Parser\Parser::parse() must be of the type string, null given, called in //vendor/oat-sa/lib-lti1p3-core/src/Security/Oidc/OidcAuthenticator.php on line 82

after I dump the $request, I get parsedBody

array:3 [▼
  "utf8" => "✓"
  "authenticity_token" => "MKLZdolGU4StoBaZDvKSMl0d70BXTXHT2AFIEyPn+1KTCVnKgh64CBzQtMgYZjrCc5lAucV/Z0y4SG3jP03gyg=="
  "commit" => "Send POST request"
]

I have no idea how to auntethicate it, I can't find 'authenticity_token' on this library even on test case, I have no idea which function can handle it, any ideas how to authenticate it?

regards

relates to #178

After a succed login and launch validation, when I want to getContextMembershipForPayload (Lti1p3Nrps), it fails by responding "iat missing".
I tried using OAT\Library\Lti1p3Core\Service\Client\LtiServiceClient directly. Same happens.

Whole error:
Cannot get context membership for payload: Cannot get context membership for claim: Cannot get context membership: Cannot get access token: Client error: POST https://developer.anthology.com/api/v1/gateway/oauth2/jwttoken resulted in a 400 Bad Request response: {"error":"invalid_jwt_token","error_description":"iat missing"}

So it fails in getAccessToken from LtiServiceClient

The thing is that if I print the token claims... iat appears. So... very very strange.

Any ideas?

Thanks in advance

Just ran into the TAO PHP framework for LTI and was thinking of including it in an app, but we would like to offer dynamic registration from day one. Are you considering it at all?
https://www.imsglobal.org/spec/lti-dr/v1p0

Hi Team, I try to add multiple ResourceCollection, but it doesn't work, here is what I've tried so far:

$resources = [];
foreach ($payload->courses as $uuid) {
   $course = Course::whereUuid($uuid)->first();
   $resources[] = new LtiResourceLink('ltiResourceLinkIdentifier', [
       'url' => getLtiDomain().'/launch',
       'title' => $course->name,
       'text'  => $course->settings['about'],
       'custom'    => [
          'course' => $uuid
       ],
    ]);
}
// agregate courses to resources collection
$resourceCollection = new ResourceCollection($resources); 

I also try this method

$resourceCollection = new ResourceCollection(); 
foreach ($payload->courses as $uuid) {
   $course = Course::whereUuid($uuid)->first();
   $resource = new LtiResourceLink('ltiResourceLinkIdentifier', [
       'url' => getLtiDomain().'/launch',
       'title' => $course->name,
       'text'  => $course->settings['about'],
       'custom'    => [
          'course' => $uuid
       ],
    ]);
$resourceCollection->add($resource);
}

both of those codes do not work, So how to add multiple items to resource collection properly?

According to the LTI 1.3 specs, the out-of-band registration process includes registration of redirect uri provided by the tool. The authentication response shall be send only to one of those uri. The specific uri is provided by the tool via the redirect_uri parameter in the authentication request.

However, OidcAuthenticator is sending the authentication response to the target_link_uri, which is the uri to which the tool is supposed to redirect the user after validating the authentication response.

According to the IMSGlobal spec (https://www.imsglobal.org/spec/security/v1p0/#using-json-web-tokens-with-oauth-2-0-client-credentials-grant): "...the authorization server MAY instruct the Consumer to use the token endpoint URL of the authorization server as a value for an aud element..."

Not all platforms do this. For example, Brightspace has a separate audiance value. Brightspace OAuth2 Audience is https://api.brightspace.com/auth/token and its Brightspace OAuth2 Access Token URL is https://auth.brightspace.com/core/connect/token

In the current implementation of the ServiceClient the aud is set equal to the platform->getOAuth2AccessTokenUrl() value. I propose to set it equal to the platform->getAudience() value.

The piece of code to be changed is:

see: Roave/SecurityAdvisories@da77e3d

Description:

I'm using this library to implement LTI 1.3 into an LMS application. Reading the documentation, I'm able to get the integration working but caching access tokens doesn't make sense to me!

When setting up the server service we generate an access token for a key chain which requires passing AccessTokenRepository to store the created access tokens, However, the AccessTokenRepository is not used with service endpoint authentication so why are we storing these tokens if they're not being used?

Possible Solution?

Maybe the idea is that we create a custom validator interface and pass it to RequestAccessTokenValidator? I think that'd work by decoding the JWT and searching for the id in the cache (the database in my case).

Ideal solution

Since the AccessTokenRepository is required for generating access tokens, It should also be required for validating access tokens. so RequestAccessTokenValidator.php should be modified to use the cache adapter to search for access tokens and make sure they're not revoked or expired.

In https://github.com/oat-sa/lib-lti1p3-core/blob/master/tests/Traits/DomainTestingTrait.php#L68, the tool audience should be toolAudience and not platformAudience

Bump core to v7:

• bundle-lti1p3
• lib-lti1p3-ags
• lib-lti1p3-deep-linking
• lib-lti1p3-nrps
• lib-lti1p3-proctoring
• lib-lti1p3-submission-review

see: #166 (review)

As the title of this issue says: The LtiMessage::toUrl() method should generate a valid URL if the base URL already contains a query string.

A base url of http://localhost/mod/lti/contentitem_return.php?course=2&id=39&sesskey=BP0AlkCbZq results in the following return value from LtiMessage::toUrl() (which is invalid because of the double ?).
http://localhost/mod/lti/contentitem_return.php?course=2&id=39&sesskey=BP0AlkCbZq?JWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU1ZmQwNzIxMWY5ZDQ4MGVhOWVjNGIwNTU5ZGFiNzMwZGNlZmU4MjZhMDdmZjU5YjA5NDgxN2Q1NmRjZjJlNzYifQ.eyJodHRwczovL3B1cmwuaW1zZ2xvYmFsLm9yZy9zcGVjL2x0aS1kbC9jbGFpbS9kYXRhIjpudWxsLCJodHRwczovL3B1cmwuaW1zZ2xvYmFsLm9yZy9zcGVjL2x0aS1kbC9jbGFpbS9tc2ciOiIxIGl0ZW0ocykgcHJvdmlkZWQiLCJodHRwczovL3B1cmwuaW1zZ2xvYmFsLm9yZy9zcGVjL2x0aS1kbC9jbGFpbS9sb2ciOiIxIGl0ZW0ocykgcHJvdmlkZWQiLCJodHRwczovL3B1cmwuaW1zZ2xvYmFsLm9yZy9zcGVjL2x0aS1kbC9jbGFpbS9jb250ZW50X2l0ZW1zIjpbeyJ1cmwiOiJodHRwOi8vaG9zdC5kb2NrZXIuaW50ZXJuYWw6ODA4MC9sdGkvbGF1bmNoIiwidGl0bGUiOiJteSBmYW5jeSBweXRob24gdG9vbCIsInR5cGUiOiJsdGlSZXNvdXJjZUxpbmsifV0sImlzcyI6IlFZWXQ1WU5GQ1NRZEJ2byIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3QiLCJodHRwczovL3B1cmwuaW1zZ2xvYmFsLm9yZy9zcGVjL2x0aS9jbGFpbS92ZXJzaW9uIjoiMS4zLjAiLCJodHRwczovL3B1cmwuaW1zZ2xvYmFsLm9yZy9zcGVjL2x0aS9jbGFpbS9tZXNzYWdlX3R5cGUiOiJMdGlEZWVwTGlua2luZ1Jlc3BvbnNlIiwiaHR0cHM6Ly9wdXJsLmltc2dsb2JhbC5vcmcvc3BlYy9sdGkvY2xhaW0vZGVwbG95bWVudF9pZCI6IjM5Iiwibm9uY2UiOiIxYjRjYWRiZi1kOWQ5LTQ5NWItOGU1MC1jNjY0MzYzZDBjNGQiLCJqdGkiOiI0ZmNiOTgwMi04ODVhLTQ1ZWYtYjNlMC05YThkMDY4OTlmNjciLCJpYXQiOjE2MjcyMzM5ODEuMjYwMDA3LCJuYmYiOjE2MjcyMzM5ODEuMjYwMDA3LCJleHAiOjE2MjcyMzQ1ODEuMjYwMDA3fQ.D1_vl22-Vdgyenl9A8koxSb_Sj_GyNWmOqL3uzOSdlePDWSs5OsJYyHxKPuR79bxrNCDzuP5jATylYe-w5NxT2qFGL-BwXtrSCqd3hCGdrq-cyx8gqs-iUQkfUASG5giDspiV8IeEqQkEbGW9HCySyun_R_I1WOloToXBHqt-AqG0jMRG9ZDjVYsZ0Fjh68IHmE8uC37Yz7Fv8pNfNPJBAp8ac8V_G_o-0JHKMtOEOeMp_RSPHlSA-bcD73098UTBR9jroalPlDFBTNkgI3yQDRmuFF1FqSBS7FQ9FuX6HBjz2gZD7v7ImCYQ6qnMwiZlZy0EfDDioLxvhSZu8nJArcTCPCVCxZVRn4SGsnmSKWu1zTZ3nrLjm0AE3mzU6FHWX-E1BSW5y1wzX-ofoqLHCkWioflfzNJ37rMlFpIYGC1nGPlN-sImJCiZTwOxMKvXe_3Mufl3pPAqSao_3ba0prr9aYBN3cl3rVHp4aWvAJMhttovOs2LxWTojM5n0TVMfDpwtkRNHpIS7JDD-oBxcAV-OVR-2yl02qJntPKFRdyN37_NZiWc7IcywBCefjpeNHRHLAfV2lkCiEEmo7w7BF_hz-fAQc7aExfvFqj3T55cglIA_4JJ4ZPY2ng1KKRg1SeFhM3CHz3WjVtX0gYmbDSvUKmmFqNhCMA1PMzvP4

Hi, I develope laravel app for LTI Tool, and I use moodle as LTI Platform to consume course from laravel.
I wonder how to set Launch Presentation width & height, because moodle display height is too short and when I debug it says height is null

thank you

On migrating from 5 to 6 we get a failure in the LtiServiceClient.

We reverted #109 (removing the array for the CLAIM_AUD on 207) which fixed the issue.

The following error appears at OIDC initiation:

OIDC initiation failed: OAT\Library\Lti1p3Core\Message\Payload\Builder\MessagePayloadBuilder::buildMessagePayload(): Argument #1 ($keyChain) must be of type OAT\Library\Lti1p3Core\Security\Key\KeyChainInterface, null given, called in /var/www/html/vendor/oat-sa/lib-lti1p3-core/src/Security/Oidc/OidcInitiator.php on line 96

It happens becaue buildMessagePayload definitely expect a key chain object but the given Registration does not contain any tool key chain information.

How about throwing an LtiException before the following line?

https://www.imsglobal.org/spec/security/v1p0/#id-token

aud
REQUIRED. Audience(s) for whom this ID Token is intended i.e. the Tool. It MUST contain the OAuth 2.0 client_id of the Tool as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case-sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case-sensitive string.

This library makes it always a special case, and only support SINGLE value aud Claim when OidcAuthenticator and can't do any overwride

I can not find any example on IMS site about aud that is not an array
EG: http://www.imsglobal.org/spec/lti/v1p3/#e-full-example-resource-link-request

I'm calling the handler in my platform oidc/auth controller like this: $psrRequest = $this->requestFactory->createServerRequest($request->getMethod(), $request->getRequestUri()); return $this->handler->handle($psrRequest);

but it triggers a RuntimeException with this error: Resources are not supported in serialized data. Path: Nyholm\Psr7\Stream -> Nyholm\Psr7\Response

because the serializer finds a property of type resource...

Any idea what might be wrong? Since I'm using the bundle handler I'm not really sure how to avoid it.

Hi all,
I would like to know if this library offer some strategy for caching the message Launch in order to retrieve message launch data during subsequent requests, for example consider this Deep Linking Scenario:

• the platform launch the tool and the tool show the Item Selection content after the message Launch validation using the method validatePlatformOriginatingLaunch, this method return LaunchValidationResultInterface with lots of usefull information (for example deep linking settings)
• The user select some contents and click on a button in order to send the items to platform, so we need to create a Deep Link Response, at this stage we can retrieve the data from the cache in order to build the response.

Have I to implement my own this strategy? Or do you offer something?
Hope all is clear,

Hello, I need help about this package, I still confuse about step by step guide if I want integrate my laravel app as a LTI platform, I use moodle as LTI Tool provider and moodle give me Registration URL, what can I do with that link? I cannot find any code that tell me to process that link, what essential routes needed to be a Platform, how to process from Registration URL and get all the data from tool provider and then launch the course.

thank you in advance

Hi,

I've been using your LTI 1.3 core library in a project (as a platform) for a while with some success. However, I've recently noticed something unexpected in how it handles platform-side OIDC authentication.

IMS Global's documentation states that the nonce is supposed to be passed as is from the auth request into the auth response's id token sent to the LTI tool: however, the \OAT\Library\Lti1p3Core\Security\Oidc\OidcAuthenticator class by default contains a message payload builder which generates a new nonce and injects it into the ID token, thus causing some LTI tools to reject auth responses created by this library.

I've been able to work around this issue, but I believe that since this is a fundamental aspect of OIDC security checking that either:

• I'm missing something in how OidcAuthenticator instances are created (but I didn't see any other documentation on this, and no other nonce generator implementations exist within this library)
• the library is mistakenly generating a new nonce for the auth response
• I and/or the LTI tool provider is mistaken as to the purpose of the nonce

Thank you for your time and advice, your work is appreciated.