Closed Rohi145 closed 5 years ago
What are you using as the key_set_url
for your registration?
Ok, what is the message in the exception when trying to validate a signature with that key?
Uncaught exception 'IMSGlobal\LTI\LTI_Exception' with message 'Invalid signature on id_token
For your reference ,Please find below my private key
-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDARl/3FzG7C2fZ Gy17T6bBuQsAK9fSTCgrODlnKsSGR2KaPo2Wt3cfv+C1dlXIhoUN+gUgEmc89q1P rr+FSGWUkLZLIadh7cpNbaDXzsMlBBPcJ1MhbgYJjP9xF9nOPE5IKnTy3VLE/TdE MD4MWuotUNSXTty1v/H+W4DwuUhy2kfUwm/6aCK2H8XVld71PF59uqFm+LRwC4Vq sCgMtWqq6Vpgl9j4gZMh2JmPP+lcRL8FBPkzoxLdrt5e/dMyRPSudvKEUDcT26xR C/qEGYQAnn3LO8ISipkAIraJHVQbUp/2iM01E8bfUKKnW0IVvEHXdMo4otoB93fx 8Qv23h0BAgMBAAECggEABExObt6U3QKHQsIpxRzltGTniwxv2aKcL0MlfVnmZL4J xTrqvVjCj/IhGs1XY5EmPka9gJcIucMl4qccXuVcZ/LIMGvDKxw+rnZp5wkXMaei rgQvBotIFUSSnTuUQdj1QwW38YnjBMZISvztFieeHn81EWDQ7DsrNK1k93yc0vxm O2NItOUph0eJkLhU/b6zh91gVGsbOaS339R9cSfAhAsQg+YsO67adfbVUxru+Ajz 7BGmA+898DyIVAQneC0fGiGcj6yAo+P7n9WcNTvk7NqdaHwFjognQhUMwQDpqVgf PRDMkAIeF6mFrPhA1MtSVVkAtCCdbEA145OfM44XwQKBgQDm3AxJcTiZFR6eLZqD +EF8ISmbD0fKK5tymgGJzLq1ZbSd0Eo6spv1q+FqPFfqYlK31X1H/vhDjGGOEbbg 1iQV9X4bK8UXQi4sbtbc6nvh/w1er4idefDSkCVJZOLReVCamHimrX5V46p/TdzI RbnPt5j0l2pg4f9B1S5oYdIESQKBgQDVNqfOFYcvYkKJSwk17dS96nmTONwjoImr ntD+xUZuArOtisQSVAk82/b1q0gXnure/aDXMrM4QVFoq437kEYKtsAaZdAX4wsS hpnCwqmpkGnCIIR6pe6QDQfwiimeX0sjCodkErxkQ+K3GNnm2DIg7R/NC2jH9Tiq 4OiY5FRi+QKBgHJzx5eljSS/xrUu8LramkSbAFCCi9ncMq3nUjnqCOqjqJ7Qw+xD 3nQ2qYOMtR1bb5z6N6k47AY5E6hmed8P60YDtmhsE8NLKS8YKGfPzGknlI5LwhQo f0807Xdsj9LALUjnrHEd9FNKkp2YkYusnckwQaGJa9DqWi1eLirLzF4ZAoGBAJ2G uAwG084qZsZQ7gkuIlP+fLxM8jhQT+bAe+D/l72HuYCqWZrBA+I3EgsH9UeeXiFK eh8Ekm0ptSAEP+5w9Y7M3rmiJ1C+qluRnuDKOdfRnpGSvM5w8gTz273YFk+wUC8f hFBnl1Ds5wAoGDX53W9+QlSX7V5uyuNVMARmDgLhAoGAZNq3Vcvul6Ha+yH2+ztY FjbdoJF8fP2sXRHJ8y5+IypelQKg923O74WvnncmT3yQD0+I2/qcAHhh2EIPSeMI fER5wbPztcPpdCFI5hC9252iRj0OVK9cwvqt2YWrMADPDxakqU9MJiHzoN4W8BIR D2PqdK+NduwtTCYPWPWZtsU= -----END PRIVATE KEY-----
@Rohi145 The incoming LTI request and id_token isn't validated by your private key, it is validated against the public keys at the JWKS endpoint. The endpoint you gave doesn't have any keys in it https://developer.blackboard.com/api/v1/management/applications/53ff6a48-5896-4d30-8922-83c713dbc2bf/jwks.json so it can't find the correct key to validate the request. It may be that your registration has been deleted in blackboard and you need to create a new one
Hi Martyn,
Sorry for inconvenience. Please find below new keyset and private key:
-----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCPGwOIIPxDgprk ADh83Gk4ZAFSBpX2aD1QCJK7EjmDqQ9NI0jeARFCOpWD8zDkAgmaLK3XF88L64bp eAuiIBnQau+UCahPLGskfMJqVGu8+ZRK3lrhJG1o3Kl5aSZYJAGh0U6Bfm/EPhIj Q9Gd+z/66eNGmC3dHi+bANCoCdUHA7Bu+iBwAp3GDw/nBH0gDnV+KtNFPnCZgwIh kA6rF1IEVUIdrtrGxc7Nlxya9DCQhAObE8y/JDSLNz56nWSOO3WafuUqkxdqs7Br 9VkUgg41u7+IY44GZuHLlxUZZcj72GqeFTSCOlRe5q36gdYYcFU1Ys4t7DhauY5O EOqmzb+BAgMBAAECggEAavMicZNNVNsADVQI43AKhyVeQ0I+wzfmUrEFkB+vsjEg CWNMavZbQqbr5QBUUqMfMAUiKrVVfLAaVNPtxc293SB+SqHpErq8nDlNRxAusL3J 0SZavxZtWkhHtEAccxT9z0TRKkAnIX/OKGLf/vSuPUSdIb5L0Ixlwa8bQeqPNbyq mCoYhHGklIm+HslKNuM9L2QECxh6q34qF6CUaPEBp4PvMnawBLnFrOIMVeLPSah4 xZQ+L3A8Ctys82cvfgkY105k1STII2HsCpjQbJ82Pupi/db1f1KCEieinbM1L0yv FgCpRXZwuTsso468lmh7AtaEOnltm5fvhIUO7MW1DQKBgQDzxK+e2BAGFBkS4jhS 5yd5C03TLDBSBxKfa/Vh6i/2BO/Km3njjBKuc5WafaLa+F4ORIjmos0WkMPrLlAS XVPYNFz2huCBZPwcEoESWMQxwr+OLf64V9+RGvc8JrD2AeScL+vswAdZLzFHf+dr Ga12e0dpcJJe2LTBFL0nbw4yRwKBgQCWSUTU56DXVbpz1Hq/hzJC2B6iqLbdmUQX Wfs5B/Akc1EhkZL3SN2AqpUlhKOSILwD+P6WqoP/G9cezOUBrA8hKv2pxkOUSprn R3xHP5/YPwczZUQHrIgs8NzJfwDOQlvjsxO2oJkW8SfXGcVVeIHPjAEmVnhGJTXJ NnBka+Rb9wKBgHj7buX4+crqgp86oxWSH6cVkyRxU/ICDJ4OqJRV9EO3o4L8svvZ 8xOdzewE2qSui4+tN/yvY/YFFxdLvvW+V/R/2HuJ6TaO9gjArkp6v7SqoQNhlH/N LOoJZhb2ZPFTczCJICA6FeuPXnfL5QDkl5CsEn8kHaDxEJSbRF2j4nnVAoGALCeU wJTZTcsTP+risZkQLFGBFrtJFuxr9Axs4kGxzZPP93Pk4SCYa7Ayp9ZDlLBnbSdf 7XZl17MfTh5W/lnGDDGsW5Az1MLipib7nZdU6F0ESZZsGXEYhVOzGsRkwTT/+HNp zFN9Bx+NXAZnUwhX41m4EMKBDeLq3ZZQCUEl09sCgYBjOjnh9wEBC4YGzJ/5IMmV yC4P3toCBZikqtUDdNIbsOoPtR+GN00GF/EoZe+vzbLhH9EY9aSCYJrno2elOAMj L+f5RaKkEVokcdEQkJhbT6kN39WuPKF3wJJfGKypd914kbLeA78MCK9v08rVCvzq W6DXjXPz45ts9W9wxZ571w== -----END PRIVATE KEY-----
@RohitAShirsath what does your implementation of LTI\Database
look like? are you just trying to get the example code working or are you using the library in your own code? (i would also advise not putting your private key in public comments as it would allow people to do impersonation attacks)
@Martyn, We are using your library in our project. But signature verification is not done properly. Also, Thanks for your advice. But these are our testing account keys. We are using these keys on the local server.
The signature is done here https://github.com/IMSGlobal/lti-1-3-php-library/blob/master/src/lti/lti_message_launch.php#L287 could you add in some logging to check what is in $this->request['id_token']
and $public_key['key']
at that point?
@Martyn, Is signature verification done on your side using our credentials?
We already go through that process. But we are getting the same error at each time.
The library handles validating the signature, for example
$launch = LTI\LTI_Message_Launch::new(new Example_Database())->validate();
When validate is called the library will use the Example_Database
to identify the registration, then will fetch the public key from the key_set_url
provided and validate the signature. There isn't currently a way to bypass the libraries signature validation. So if you have already validated the JWT manually, the library will do it again
@Martyn,
We are passing key set and priveate key in JWT.But validation failed using that keys.
we are missing something?
You do not validate the id_token with your private key, you validate it with the platform public key that matches the KID from the id_token that is fetched from the key_set_url
The private key is used to sign requests that the tool makes to the platform
@MartinLenord
Yes, we agree with that. When we validate token with the public key, we are getting Signature verification failed error
.
Can you please guide me about that?
Can you send me the id_token you are trying to sign and the public key you are using to sign it
hmm, interesting, that JWT is signed with your private key not blackboards, did you resign the request?
Why are you re-signing the request? You can't resign a request from a platform, because you don't know the platform's private key, you can only validate it with the public key
@MartinLenord ,
Means you want to say that,do not use blackboard credentials for JWT authentication?
So what are the use of keyset and private key provided by blackboard to us?
Because we are using that one for JWT creation and authorization.
Each party (tool and platform) has two keys, a public key and a private key. The private key is used to sign requests, the public key is given to the other party so that they can validate that a message is really coming from the first party.
Blackboard gives you a private key for you to sign requests that are going back to blackboard with, it also gives you a JWKS url so that you can get their public key to validate that the incoming request is coming from them.
You only sign outgoing requests with your private key (like requesting a service access token or signing a deep linking response)
@MartinLenord We are doing the following steps please tell us we are correct or not:
Now blackboard provides us private key, keyset url. 2.We are using that private key for JWT creation and validate with the public key generated by keyset url. Also we are using the private key for access token generation. But also not getting any access token using that private key. Please go through these steps and tell me what is wrong in that.
Also,If platform private key is used for JWT authorization .So how to get a platform private key that is decode with key set url.
@MartinLenord
keys.php that is included in return.php is also not existed.
And if we are using your tool private key (i.e. defined in private.key file) in return.php file then its JWT signature is validated using JWK key set. Because of that, we confused about credentials.
Hi Martyn,
When we are using your or other private key for OIDC authentication its working fine...when we are using blackboard private key then its unable to validate oidc...Can you please help me in this scenario?