-
Bug
-
Resolution: Fixed
-
Major
-
4.4.4, 4.5
-
1
-
Team Alpha - Planning I4-2024
Problem
Related to MDL-77077. This is a case that was missed there. See discussion here: https://moodle.org/mod/forum/discuss.php?d=462499
To replicate:
- You first need to setup a working Moodle-to-Moodle LTI (see the https://docs.moodle.org/405/en/Publish_as_LTI_tool docs)
- Now, in the tool site, modify enrol/lti/jwks.php, such that the last part of the file reads:
//echo json_encode($keyendpoint->getPublicJwks());
echo '{"keys":[{"kty":"RSA","use":"sig","e":"AQAB","n":"pb8U0nKOwqZCRXw0_2d_PdVA2sk8-9WHlKNHgM4O4RP6Mb2pieeYqik9_UZGBqYBBt3gn7Vtf9SGCb6lxhWmz418uz4wALS2Txt9WiqWTDJQcirnDTjk5vpKyWA2TlbarF6hK_YAtvEvF5XqCmmQ71au6s3d0C1k3ALwqcikl10rEZbqOKOzxhKo4qPXUlujHWKA67xYHNfdf-y6ffm0bZRyE-wmhRvhgCjtMZ3EaAVjTkWGRehGHeeiznIqz0QNHwDNTtrWNVNmzORmtY1PKtAJQB1xVS4v6K1cgf2yb7-v83Gbkz8xEfvlPGtw7s32xVOUDcbqtHkoAlHHgDwRqQ","kid":"1d9c904e0e7d9c3faa07"},{"kty":"RSA","use":"sig","e":"AQAB","n":"pb8U0nKOwqZCRXw0_2d_PdVA2sk8-9WHlKNHgM4O4RP6Mb2pieeYqik9_UZGBqYBBt3gn7Vtf9SGCb6lxhWmz418uz4wALS2Txt9WiqWTDJQcirnDTjk5vpKyWA2TlbarF6hK_YAtvEvF5XqCmmQ71au6s3d0C1k3ALwqcikl10rEZbqOKOzxhKo4qPXUlujHWKA67xYHNfdf-y6ffm0bZRyE-wmhRvhgCjtMZ3EaAVjTkWGRehGHeeiznIqz0QNHwDNTtrWNVNmzORmtY1PKtAJQB1xVS4v6K1cgf2yb7-v83Gbkz8xEfvlPGtw7s32xVOUDcbqtHkoAlHHgDwRqQ","kid":"ssss1d9c904e0e7d9c3faa07"}]}';
Note: these are my public keys and will never work for a JWT decode for you, but this is enough to trigger the error before the decode takes place.
- Now, do a content selection launch from the platform site to the tool site.
Observe the exception message:JWK must contain an "alg" parameter
Solution
Since we're only able to 'fix' (aka infer the alg) for the one, single key that matches the kid in the JWT header (and per the other rules defined in jwks_helper::fix_jwks_alg(), we need to exclude other keys from the keyset parsing (which will fail without the alg prop). Since we know these cannot be used during decode anyway (since their kids don't match the kid in the JWT header) this should be fine. I'd also prefer this to trying to naively guess the alg or fall back on assumed defaults.