oat-sa / lib-lti1p3-core Goto Github PK
View Code? Open in Web Editor NEWPHP library for LTI 1.3 Core implementations as platforms and / or as tools.
License: GNU General Public License v2.0
PHP library for LTI 1.3 Core implementations as platforms and / or as tools.
License: GNU General Public License v2.0
Package php-http/message-factory is abandoned, you should avoid using it. Use psr/http-factory instead.
I'm using this library to implement LTI 1.3 into an LMS application. Reading the documentation, I'm able to get the integration working but caching access tokens doesn't make sense to me!
When setting up the server service we generate an access token for a key chain which requires passing AccessTokenRepository
to store the created access tokens, However, the AccessTokenRepository
is not used with service endpoint authentication so why are we storing these tokens if they're not being used?
Maybe the idea is that we create a custom validator interface and pass it to RequestAccessTokenValidator
? I think that'd work by decoding the JWT and searching for the id in the cache (the database in my case).
Since the AccessTokenRepository
is required for generating access tokens, It should also be required for validating access tokens. so RequestAccessTokenValidator.php should be modified to use the cache adapter to search for access tokens and make sure they're not revoked or expired.
Hi all,
I would like to know if this library offer some strategy for caching the message Launch in order to retrieve message launch data during subsequent requests, for example consider this Deep Linking Scenario:
Have I to implement my own this strategy? Or do you offer something?
Hope all is clear,
codercat/jwk-to-pem must be at version 1.1 to fix GHSA-hm7p-r324-hhf3
version 1.1 will be installed if phpseclib is at version 3.*
I tried to make a pull request, but is seems my tests are failing because i'm running php 8.1.
Hello, Is it possible to update this package 'lcobucci/jwt' to a newer version (^5.0) ?
+-------------------+----------------------------------------------------------------------------------+
| Package | phpseclib/phpseclib |
| CVE | CVE-2023-49316 |
| Title | phpseclib vulnerable to denial of service |
| URL | https://github.com/advisories/GHSA-jpr7-q523-hx25 |
| Affected versions | <3.0.34 |
| Reported at | 2023-11-27T18:31:14+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Update to 3.0.34
Hi, I'm buidling LTI Platform using LTI Reference Implementation, during content selection, I redirected to login_initiations on lti-ri, then I click send post request and it bring me to my platform oidc init,
I try OidcAuthenticator and authenticate $request, but it fails with message
OIDC authentication failed: Argument 1 passed to OAT\Library\Lti1p3Core\Security\Jwt\Parser\Parser::parse() must be of the type string, null given, called in //vendor/oat-sa/lib-lti1p3-core/src/Security/Oidc/OidcAuthenticator.php on line 82
after I dump the $request, I get parsedBody
array:3 [▼
"utf8" => "✓"
"authenticity_token" => "MKLZdolGU4StoBaZDvKSMl0d70BXTXHT2AFIEyPn+1KTCVnKgh64CBzQtMgYZjrCc5lAucV/Z0y4SG3jP03gyg=="
"commit" => "Send POST request"
]
I have no idea how to auntethicate it, I can't find 'authenticity_token' on this library even on test case, I have no idea which function can handle it, any ideas how to authenticate it?
regards
Hi Team, I try to add multiple ResourceCollection, but it doesn't work, here is what I've tried so far:
$resources = [];
foreach ($payload->courses as $uuid) {
$course = Course::whereUuid($uuid)->first();
$resources[] = new LtiResourceLink('ltiResourceLinkIdentifier', [
'url' => getLtiDomain().'/launch',
'title' => $course->name,
'text' => $course->settings['about'],
'custom' => [
'course' => $uuid
],
]);
}
// agregate courses to resources collection
$resourceCollection = new ResourceCollection($resources);
I also try this method
$resourceCollection = new ResourceCollection();
foreach ($payload->courses as $uuid) {
$course = Course::whereUuid($uuid)->first();
$resource = new LtiResourceLink('ltiResourceLinkIdentifier', [
'url' => getLtiDomain().'/launch',
'title' => $course->name,
'text' => $course->settings['about'],
'custom' => [
'course' => $uuid
],
]);
$resourceCollection->add($resource);
}
both of those codes do not work, So how to add multiple items to resource collection properly?
After a succed login and launch validation, when I want to getContextMembershipForPayload (Lti1p3Nrps), it fails by responding "iat missing".
I tried using OAT\Library\Lti1p3Core\Service\Client\LtiServiceClient directly. Same happens.
Whole error:
Cannot get context membership for payload: Cannot get context membership for claim: Cannot get context membership: Cannot get access token: Client error: POST https://developer.anthology.com/api/v1/gateway/oauth2/jwttoken
resulted in a 400 Bad Request
response: {"error":"invalid_jwt_token","error_description":"iat missing"}
So it fails in getAccessToken from LtiServiceClient
The thing is that if I print the token claims... iat appears. So... very very strange.
Any ideas?
Thanks in advance
I'm calling the handler in my platform oidc/auth controller like this: $psrRequest = $this->requestFactory->createServerRequest($request->getMethod(), $request->getRequestUri()); return $this->handler->handle($psrRequest);
but it triggers a RuntimeException with this error: Resources are not supported in serialized data. Path: Nyholm\Psr7\Stream -> Nyholm\Psr7\Response
because the serializer finds a property of type resource...
Any idea what might be wrong? Since I'm using the bundle handler I'm not really sure how to avoid it.
On migrating from 5 to 6 we get a failure in the LtiServiceClient.
We reverted #109 (removing the array for the CLAIM_AUD on 207) which fixed the issue.
According to the IMSGlobal spec (https://www.imsglobal.org/spec/security/v1p0/#using-json-web-tokens-with-oauth-2-0-client-credentials-grant): "...the authorization server MAY instruct the Consumer to use the token endpoint URL of the authorization server as a value for an aud element..."
Not all platforms do this. For example, Brightspace has a separate audiance value. Brightspace OAuth2 Audience is https://api.brightspace.com/auth/token and its Brightspace OAuth2 Access Token URL is https://auth.brightspace.com/core/connect/token
In the current implementation of the ServiceClient the aud
is set equal to the platform->getOAuth2AccessTokenUrl()
value. I propose to set it equal to the platform->getAudience()
value.
The piece of code to be changed is:
Just ran into the TAO PHP framework for LTI and was thinking of including it in an app, but we would like to offer dynamic registration from day one. Are you considering it at all?
https://www.imsglobal.org/spec/lti-dr/v1p0
Hi, I develope laravel app for LTI Tool, and I use moodle as LTI Platform to consume course from laravel.
I wonder how to set Launch Presentation width & height, because moodle display height is too short and when I debug it says height is null
thank you
relates to #178
As the title of this issue says: The LtiMessage::toUrl()
method should generate a valid URL if the base URL already contains a query string.
A base url of http://localhost/mod/lti/contentitem_return.php?course=2&id=39&sesskey=BP0AlkCbZq
results in the following return value from LtiMessage::toUrl()
(which is invalid because of the double ?
).
http://localhost/mod/lti/contentitem_return.php?course=2&id=39&sesskey=BP0AlkCbZq?JWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU1ZmQwNzIxMWY5ZDQ4MGVhOWVjNGIwNTU5ZGFiNzMwZGNlZmU4MjZhMDdmZjU5YjA5NDgxN2Q1NmRjZjJlNzYifQ.eyJodHRwczovL3B1cmwuaW1zZ2xvYmFsLm9yZy9zcGVjL2x0aS1kbC9jbGFpbS9kYXRhIjpudWxsLCJodHRwczovL3B1cmwuaW1zZ2xvYmFsLm9yZy9zcGVjL2x0aS1kbC9jbGFpbS9tc2ciOiIxIGl0ZW0ocykgcHJvdmlkZWQiLCJodHRwczovL3B1cmwuaW1zZ2xvYmFsLm9yZy9zcGVjL2x0aS1kbC9jbGFpbS9sb2ciOiIxIGl0ZW0ocykgcHJvdmlkZWQiLCJodHRwczovL3B1cmwuaW1zZ2xvYmFsLm9yZy9zcGVjL2x0aS1kbC9jbGFpbS9jb250ZW50X2l0ZW1zIjpbeyJ1cmwiOiJodHRwOi8vaG9zdC5kb2NrZXIuaW50ZXJuYWw6ODA4MC9sdGkvbGF1bmNoIiwidGl0bGUiOiJteSBmYW5jeSBweXRob24gdG9vbCIsInR5cGUiOiJsdGlSZXNvdXJjZUxpbmsifV0sImlzcyI6IlFZWXQ1WU5GQ1NRZEJ2byIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3QiLCJodHRwczovL3B1cmwuaW1zZ2xvYmFsLm9yZy9zcGVjL2x0aS9jbGFpbS92ZXJzaW9uIjoiMS4zLjAiLCJodHRwczovL3B1cmwuaW1zZ2xvYmFsLm9yZy9zcGVjL2x0aS9jbGFpbS9tZXNzYWdlX3R5cGUiOiJMdGlEZWVwTGlua2luZ1Jlc3BvbnNlIiwiaHR0cHM6Ly9wdXJsLmltc2dsb2JhbC5vcmcvc3BlYy9sdGkvY2xhaW0vZGVwbG95bWVudF9pZCI6IjM5Iiwibm9uY2UiOiIxYjRjYWRiZi1kOWQ5LTQ5NWItOGU1MC1jNjY0MzYzZDBjNGQiLCJqdGkiOiI0ZmNiOTgwMi04ODVhLTQ1ZWYtYjNlMC05YThkMDY4OTlmNjciLCJpYXQiOjE2MjcyMzM5ODEuMjYwMDA3LCJuYmYiOjE2MjcyMzM5ODEuMjYwMDA3LCJleHAiOjE2MjcyMzQ1ODEuMjYwMDA3fQ.D1_vl22-Vdgyenl9A8koxSb_Sj_GyNWmOqL3uzOSdlePDWSs5OsJYyHxKPuR79bxrNCDzuP5jATylYe-w5NxT2qFGL-BwXtrSCqd3hCGdrq-cyx8gqs-iUQkfUASG5giDspiV8IeEqQkEbGW9HCySyun_R_I1WOloToXBHqt-AqG0jMRG9ZDjVYsZ0Fjh68IHmE8uC37Yz7Fv8pNfNPJBAp8ac8V_G_o-0JHKMtOEOeMp_RSPHlSA-bcD73098UTBR9jroalPlDFBTNkgI3yQDRmuFF1FqSBS7FQ9FuX6HBjz2gZD7v7ImCYQ6qnMwiZlZy0EfDDioLxvhSZu8nJArcTCPCVCxZVRn4SGsnmSKWu1zTZ3nrLjm0AE3mzU6FHWX-E1BSW5y1wzX-ofoqLHCkWioflfzNJ37rMlFpIYGC1nGPlN-sImJCiZTwOxMKvXe_3Mufl3pPAqSao_3ba0prr9aYBN3cl3rVHp4aWvAJMhttovOs2LxWTojM5n0TVMfDpwtkRNHpIS7JDD-oBxcAV-OVR-2yl02qJntPKFRdyN37_NZiWc7IcywBCefjpeNHRHLAfV2lkCiEEmo7w7BF_hz-fAQc7aExfvFqj3T55cglIA_4JJ4ZPY2ng1KKRg1SeFhM3CHz3WjVtX0gYmbDSvUKmmFqNhCMA1PMzvP4
In https://github.com/oat-sa/lib-lti1p3-core/blob/master/tests/Traits/DomainTestingTrait.php#L68, the tool audience should be toolAudience
and not platformAudience
The following error appears at OIDC initiation:
OIDC initiation failed: OAT\Library\Lti1p3Core\Message\Payload\Builder\MessagePayloadBuilder::buildMessagePayload(): Argument #1 ($keyChain) must be of type OAT\Library\Lti1p3Core\Security\Key\KeyChainInterface, null given, called in /var/www/html/vendor/oat-sa/lib-lti1p3-core/src/Security/Oidc/OidcInitiator.php on line 96
It happens becaue buildMessagePayload
definitely expect a key chain object but the given Registration
does not contain any tool key chain information.
How about throwing an LtiException
before the following line?
Related to this closed issue: #46
Now in 2024, we found in actual testing that Brightspace allows using the OAuth2 Access Token URL as the value of aud
to obtain access tokens. At the same time, Brightspace does not support having two different values in the aud
array, which may cause its server-side 500 internal error.
So the current method cannot get access token from the Brightspace API.
lib-lti1p3-core/src/Service/Client/LtiServiceClient.php
Lines 216 to 219 in bef0d5f
On the contrary, just using the OAuth2 Access Token URL as aud
works on most platforms including Canvas, saltire and Brightspace. This was the default implementation in earlier releases.
// $registration->getPlatform()->getAudience(),
$registration->getPlatform()->getOAuth2AccessTokenUrl(),
Hello, I need help about this package, I still confuse about step by step guide if I want integrate my laravel app as a LTI platform, I use moodle as LTI Tool provider and moodle give me Registration URL, what can I do with that link? I cannot find any code that tell me to process that link, what essential routes needed to be a Platform, how to process from Registration URL and get all the data from tool provider and then launch the course.
thank you in advance
According to the LTI 1.3 specs, the out-of-band registration process includes registration of redirect uri provided by the tool. The authentication response shall be send only to one of those uri. The specific uri is provided by the tool via the redirect_uri
parameter in the authentication request.
However, OidcAuthenticator
is sending the authentication response to the target_link_uri
, which is the uri to which the tool is supposed to redirect the user after validating the authentication response.
https://www.imsglobal.org/spec/security/v1p0/#id-token
aud
REQUIRED. Audience(s) for whom this ID Token is intended i.e. the Tool. It MUST contain the OAuth 2.0 client_id of the Tool as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case-sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case-sensitive string.
This library makes it always a special case, and only support SINGLE value aud
Claim when OidcAuthenticator and can't do any overwride
I can not find any example on IMS site about aud
that is not an array
EG: http://www.imsglobal.org/spec/lti/v1p3/#e-full-example-resource-link-request
Hi,
I've been using your LTI 1.3 core library in a project (as a platform) for a while with some success. However, I've recently noticed something unexpected in how it handles platform-side OIDC authentication.
IMS Global's documentation states that the nonce is supposed to be passed as is from the auth request into the auth response's id token sent to the LTI tool: however, the \OAT\Library\Lti1p3Core\Security\Oidc\OidcAuthenticator
class by default contains a message payload builder which generates a new nonce and injects it into the ID token, thus causing some LTI tools to reject auth responses created by this library.
I've been able to work around this issue, but I believe that since this is a fundamental aspect of OIDC security checking that either:
OidcAuthenticator
instances are created (but I didn't see any other documentation on this, and no other nonce generator implementations exist within this library)Thank you for your time and advice, your work is appreciated.
OAT\Library\Lti1p3Core\Tests\Unit\Security\Jwks\Fetcher\JwksFetcherTest::testItLogCacheFetchAndSaveErrors
The at() matcher has been deprecated. It will be removed in PHPUnit 10. Please refactor your test to not rely on the order in which methods are invoked.
Hi everyone , I am new in LTI 1.3 - tao ,so for me this a bit hard to understand how to embed this library into my tool. For LMS , I am using Moodle .
If is there any example code availble for this library use by a Tool based on PHP , If available for demo purpose Can someone please share me?
I just confued about the workflow . That example code maybe help me to understand the complete architecture.
Thanks in Advance ! @Cicatrice
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.