Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: 4.4.5, 4.5.1
Affects Version/s: 4.4.4, 4.5
Component/s: LTI External tool
Labels:
- ci
- hqteam_alpha
- release_notes
- triaged

Affected Branches:
MOODLE_404_STABLE, MOODLE_405_STABLE
Fixed Branches:
MOODLE_404_STABLE, MOODLE_405_STABLE
Pull from Repository:
https://github.com/snake/moodle
Pull 4.4 Branch:
~~MDL-83423~~-404
Pull 4.4 Diff URL:
https://github.com/snake/moodle/compare/b48e64e2a1f...MDL-83423-404
Pull 4.5 Branch:
~~MDL-83423~~-405
Pull 4.5 Diff URL:
https://github.com/snake/moodle/compare/9ec7e015271...MDL-83423-405
Pull Main Branch:
~~MDL-83423~~-main
Pull Main Diff URL:
https://github.com/snake/moodle/compare/fc29adddf...MDL-83423-main
Testing Instructions:
Hide

You first need to setup a working Moodle-to-Moodle LTI (see the https://docs.moodle.org/405/en/Publish_as_LTI_tool docs)

Tool site: Any current supported Moodle site

LTI Platform site: The site you're testing with the fix

Now, in the tool site, visit enrol/lti/jwks.php

Copy the raw JSON (this is your valid key and will be needed)

Paste into an editor of your choice, copy the entire key (everything inside the square brackets)

Add a comma (,) after that content you've just copied, and paste it again after the comma. We're basically just simulating having multiple keys in the JWKS.

Next, for the second, pasted key, change the kid to something different to the first. Just 'aaaaaaaaaa' is fine.

Finally, find the "alg": "RSA" property for each key, and remove it.

Copy everything you have now (the full JSON for the two keys)

Open enrol/lti/jwks.php and modify the end of the file as follows, replacing <JWKS> with your copied JWKS JSON (keep the single quotes around it since it needs to be a string):

//echo json_encode($keyendpoint->getPublicJwks());

echo '<JWKS>';

Now, do a content selection launch from the platform site to the tool site.

Verify you don't see any errors, the modal closes and you can see a "Content selected" message
Show
You first need to setup a working Moodle-to-Moodle LTI (see the https://docs.moodle.org/405/en/Publish_as_LTI_tool docs) Tool site : Any current supported Moodle site LTI Platform site : The site you're testing with the fix Now, in the tool site, visit enrol/lti/jwks.php Copy the raw JSON (this is your valid key and will be needed) Paste into an editor of your choice, copy the entire key (everything inside the square brackets) Add a comma (,) after that content you've just copied, and paste it again after the comma. We're basically just simulating having multiple keys in the JWKS. Next, for the second, pasted key, change the kid to something different to the first. Just 'aaaaaaaaaa' is fine. Finally, find the "alg": "RSA" property for each key, and remove it. Copy everything you have now (the full JSON for the two keys) Open enrol/lti/jwks.php and modify the end of the file as follows, replacing <JWKS> with your copied JWKS JSON (keep the single quotes around it since it needs to be a string): //echo json_encode($keyendpoint->getPublicJwks()); echo '<JWKS>'; Now, do a content selection launch from the platform site to the tool site. Verify you don't see any errors, the modal closes and you can see a "Content selected" message
Pre-check results:
Hide

Code verified against automated checks.

Checked ~~MDL-83423~~ using repository: https://github.com/snake/moodle

MOODLE_404_STABLE (0 errors / 0 warnings) [branch: MDL-83423-404 | CI Job]

MOODLE_405_STABLE (0 errors / 0 warnings) [branch: MDL-83423-405 | CI Job]

main (0 errors / 0 warnings) [branch: MDL-83423-main | CI Job]

_{More information about this report}
Show
Code verified against automated checks. Checked MDL-83423 using repository: https://github.com/snake/moodle MOODLE_404_STABLE (0 errors / 0 warnings) [branch: MDL-83423-404 | CI Job ] MOODLE_405_STABLE (0 errors / 0 warnings) [branch: MDL-83423-405 | CI Job ] main (0 errors / 0 warnings) [branch: MDL-83423-main | CI Job ] More information about this report
Automated test results:
Hide

Launching automatic jobs for branch ~~MDL-83423~~-404

https://ci.moodle.org/view/Testing/job/DEV.02%20-%20Developer-requested%20PHPUnit/16985/ PHPUnit (sqlsrv)

https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57870/ Behat (NonJS - boost and classic)

https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57871/ Behat (Firefox - boost)

Launching automatic jobs for branch ~~MDL-83423~~-405

https://ci.moodle.org/view/Testing/job/DEV.02%20-%20Developer-requested%20PHPUnit/16986/ PHPUnit (sqlsrv)

https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57872/ Behat (NonJS - boost and classic)

https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57873/ Behat (Firefox - boost)

Launching automatic jobs for branch ~~MDL-83423~~-main

https://ci.moodle.org/view/Testing/job/DEV.02%20-%20Developer-requested%20PHPUnit/16987/ PHPUnit (sqlsrv)

https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57874/ Behat (NonJS - boost and classic)

https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57875/ Behat (Firefox - boost)

https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57876/ Behat (Firefox - classic)

https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57877/ App tests (stable app version)

Built on: Tue Oct 15 02:25:19 AM UTC 2024
Show
Launching automatic jobs for branch MDL-83423 -404 https://ci.moodle.org/view/Testing/job/DEV.02%20-%20Developer-requested%20PHPUnit/16985/ PHPUnit (sqlsrv) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57870/ Behat (NonJS - boost and classic) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57871/ Behat (Firefox - boost) Launching automatic jobs for branch MDL-83423 -405 https://ci.moodle.org/view/Testing/job/DEV.02%20-%20Developer-requested%20PHPUnit/16986/ PHPUnit (sqlsrv) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57872/ Behat (NonJS - boost and classic) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57873/ Behat (Firefox - boost) Launching automatic jobs for branch MDL-83423 -main https://ci.moodle.org/view/Testing/job/DEV.02%20-%20Developer-requested%20PHPUnit/16987/ PHPUnit (sqlsrv) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57874/ Behat (NonJS - boost and classic) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57875/ Behat (Firefox - boost) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57876/ Behat (Firefox - classic) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/57877/ App tests (stable app version) Built on: Tue Oct 15 02:25:19 AM UTC 2024

Story Points:
1
Sprint:
Team Alpha - Planning I4-2024

Problem

Related to ~~MDL-77077~~. This is a case that was missed there. See discussion here: https://moodle.org/mod/forum/discuss.php?d=462499

To replicate:

You first need to setup a working Moodle-to-Moodle LTI (see the https://docs.moodle.org/405/en/Publish_as_LTI_tool docs)

Now, in the tool site, modify enrol/lti/jwks.php, such that the last part of the file reads:

//echo json_encode($keyendpoint->getPublicJwks());

echo '{"keys":[{"kty":"RSA","use":"sig","e":"AQAB","n":"pb8U0nKOwqZCRXw0_2d_PdVA2sk8-9WHlKNHgM4O4RP6Mb2pieeYqik9_UZGBqYBBt3gn7Vtf9SGCb6lxhWmz418uz4wALS2Txt9WiqWTDJQcirnDTjk5vpKyWA2TlbarF6hK_YAtvEvF5XqCmmQ71au6s3d0C1k3ALwqcikl10rEZbqOKOzxhKo4qPXUlujHWKA67xYHNfdf-y6ffm0bZRyE-wmhRvhgCjtMZ3EaAVjTkWGRehGHeeiznIqz0QNHwDNTtrWNVNmzORmtY1PKtAJQB1xVS4v6K1cgf2yb7-v83Gbkz8xEfvlPGtw7s32xVOUDcbqtHkoAlHHgDwRqQ","kid":"1d9c904e0e7d9c3faa07"},{"kty":"RSA","use":"sig","e":"AQAB","n":"pb8U0nKOwqZCRXw0_2d_PdVA2sk8-9WHlKNHgM4O4RP6Mb2pieeYqik9_UZGBqYBBt3gn7Vtf9SGCb6lxhWmz418uz4wALS2Txt9WiqWTDJQcirnDTjk5vpKyWA2TlbarF6hK_YAtvEvF5XqCmmQ71au6s3d0C1k3ALwqcikl10rEZbqOKOzxhKo4qPXUlujHWKA67xYHNfdf-y6ffm0bZRyE-wmhRvhgCjtMZ3EaAVjTkWGRehGHeeiznIqz0QNHwDNTtrWNVNmzORmtY1PKtAJQB1xVS4v6K1cgf2yb7-v83Gbkz8xEfvlPGtw7s32xVOUDcbqtHkoAlHHgDwRqQ","kid":"ssss1d9c904e0e7d9c3faa07"}]}';

Note: these are my public keys and will never work for a JWT decode for you, but this is enough to trigger the error before the decode takes place.

Now, do a content selection launch from the platform site to the tool site.
Observe the exception message:
JWK must contain an "alg" parameter

Solution

Since we're only able to 'fix' (aka infer the alg) for the one, single key that matches the kid in the JWT header (and per the other rules defined in jwks_helper::fix_jwks_alg(), we need to exclude other keys from the keyset parsing (which will fail without the alg prop). Since we know these cannot be used during decode anyway (since their kids don't match the kid in the JWT header) this should be fine. I'd also prefer this to trying to naively guess the alg or fall back on assumed defaults.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

(1) 11 Passed -- (Main)MDL-83423.png
24/Oct/24 4:26 PM
153 kB
Kim Jared Lucas

Assignee:: Jake Dallimore

Reporter:: Jake Dallimore

Peer reviewer:: Mihail Geshoski

Integrator:: Jun Pataleta

Tester:: Kim Jared Lucas

Participants:: CiBoT, Jake Dallimore, Jun Pataleta, Kim Jared Lucas, Liam Moran, Mihail Geshoski

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 10/Oct/24 12:18 PM

Updated:: 03/Dec/24 10:17 PM

Resolved:: 25/Oct/24 10:33 AM

Estimated:

Remaining:

Logged:

4h 15m

Details

Description

Problem

Solution

Attachments

Attachments

Activity

People

Dates

Time Tracking

Clockify