MartinLenord
commented
5 years ago What are you using as the key_set_url for your registration?
Closed Rohi145 closed 5 years ago
MartinLenord
commented
5 years ago What are you using as the key_set_url for your registration?
Rohi145
commented
5 years ago MartinLenord
commented
5 years ago Ok, what is the message in the exception when trying to validate a signature with that key?
Rohi145
commented
5 years ago Uncaught exception 'IMSGlobal\LTI\LTI_Exception' with message 'Invalid signature on id_token
For your reference ,Please find below my private key
-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDARl/3FzG7C2fZ Gy17T6bBuQsAK9fSTCgrODlnKsSGR2KaPo2Wt3cfv+C1dlXIhoUN+gUgEmc89q1P rr+FSGWUkLZLIadh7cpNbaDXzsMlBBPcJ1MhbgYJjP9xF9nOPE5IKnTy3VLE/TdE MD4MWuotUNSXTty1v/H+W4DwuUhy2kfUwm/6aCK2H8XVld71PF59uqFm+LRwC4Vq sCgMtWqq6Vpgl9j4gZMh2JmPP+lcRL8FBPkzoxLdrt5e/dMyRPSudvKEUDcT26xR C/qEGYQAnn3LO8ISipkAIraJHVQbUp/2iM01E8bfUKKnW0IVvEHXdMo4otoB93fx 8Qv23h0BAgMBAAECggEABExObt6U3QKHQsIpxRzltGTniwxv2aKcL0MlfVnmZL4J xTrqvVjCj/IhGs1XY5EmPka9gJcIucMl4qccXuVcZ/LIMGvDKxw+rnZp5wkXMaei rgQvBotIFUSSnTuUQdj1QwW38YnjBMZISvztFieeHn81EWDQ7DsrNK1k93yc0vxm O2NItOUph0eJkLhU/b6zh91gVGsbOaS339R9cSfAhAsQg+YsO67adfbVUxru+Ajz 7BGmA+898DyIVAQneC0fGiGcj6yAo+P7n9WcNTvk7NqdaHwFjognQhUMwQDpqVgf PRDMkAIeF6mFrPhA1MtSVVkAtCCdbEA145OfM44XwQKBgQDm3AxJcTiZFR6eLZqD +EF8ISmbD0fKK5tymgGJzLq1ZbSd0Eo6spv1q+FqPFfqYlK31X1H/vhDjGGOEbbg 1iQV9X4bK8UXQi4sbtbc6nvh/w1er4idefDSkCVJZOLReVCamHimrX5V46p/TdzI RbnPt5j0l2pg4f9B1S5oYdIESQKBgQDVNqfOFYcvYkKJSwk17dS96nmTONwjoImr ntD+xUZuArOtisQSVAk82/b1q0gXnure/aDXMrM4QVFoq437kEYKtsAaZdAX4wsS hpnCwqmpkGnCIIR6pe6QDQfwiimeX0sjCodkErxkQ+K3GNnm2DIg7R/NC2jH9Tiq 4OiY5FRi+QKBgHJzx5eljSS/xrUu8LramkSbAFCCi9ncMq3nUjnqCOqjqJ7Qw+xD 3nQ2qYOMtR1bb5z6N6k47AY5E6hmed8P60YDtmhsE8NLKS8YKGfPzGknlI5LwhQo f0807Xdsj9LALUjnrHEd9FNKkp2YkYusnckwQaGJa9DqWi1eLirLzF4ZAoGBAJ2G uAwG084qZsZQ7gkuIlP+fLxM8jhQT+bAe+D/l72HuYCqWZrBA+I3EgsH9UeeXiFK eh8Ekm0ptSAEP+5w9Y7M3rmiJ1C+qluRnuDKOdfRnpGSvM5w8gTz273YFk+wUC8f hFBnl1Ds5wAoGDX53W9+QlSX7V5uyuNVMARmDgLhAoGAZNq3Vcvul6Ha+yH2+ztY FjbdoJF8fP2sXRHJ8y5+IypelQKg923O74WvnncmT3yQD0+I2/qcAHhh2EIPSeMI fER5wbPztcPpdCFI5hC9252iRj0OVK9cwvqt2YWrMADPDxakqU9MJiHzoN4W8BIR D2PqdK+NduwtTCYPWPWZtsU= -----END PRIVATE KEY-----
MartinLenord
commented
5 years ago @Rohi145 The incoming LTI request and id_token isn't validated by your private key, it is validated against the public keys at the JWKS endpoint. The endpoint you gave doesn't have any keys in it https://developer.blackboard.com/api/v1/management/applications/53ff6a48-5896-4d30-8922-83c713dbc2bf/jwks.json so it can't find the correct key to validate the request. It may be that your registration has been deleted in blackboard and you need to create a new one
RohitAShirsath
commented
5 years ago Hi Martyn,
Sorry for inconvenience. Please find below new keyset and private key:
-----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCPGwOIIPxDgprk ADh83Gk4ZAFSBpX2aD1QCJK7EjmDqQ9NI0jeARFCOpWD8zDkAgmaLK3XF88L64bp eAuiIBnQau+UCahPLGskfMJqVGu8+ZRK3lrhJG1o3Kl5aSZYJAGh0U6Bfm/EPhIj Q9Gd+z/66eNGmC3dHi+bANCoCdUHA7Bu+iBwAp3GDw/nBH0gDnV+KtNFPnCZgwIh kA6rF1IEVUIdrtrGxc7Nlxya9DCQhAObE8y/JDSLNz56nWSOO3WafuUqkxdqs7Br 9VkUgg41u7+IY44GZuHLlxUZZcj72GqeFTSCOlRe5q36gdYYcFU1Ys4t7DhauY5O EOqmzb+BAgMBAAECggEAavMicZNNVNsADVQI43AKhyVeQ0I+wzfmUrEFkB+vsjEg CWNMavZbQqbr5QBUUqMfMAUiKrVVfLAaVNPtxc293SB+SqHpErq8nDlNRxAusL3J 0SZavxZtWkhHtEAccxT9z0TRKkAnIX/OKGLf/vSuPUSdIb5L0Ixlwa8bQeqPNbyq mCoYhHGklIm+HslKNuM9L2QECxh6q34qF6CUaPEBp4PvMnawBLnFrOIMVeLPSah4 xZQ+L3A8Ctys82cvfgkY105k1STII2HsCpjQbJ82Pupi/db1f1KCEieinbM1L0yv FgCpRXZwuTsso468lmh7AtaEOnltm5fvhIUO7MW1DQKBgQDzxK+e2BAGFBkS4jhS 5yd5C03TLDBSBxKfa/Vh6i/2BO/Km3njjBKuc5WafaLa+F4ORIjmos0WkMPrLlAS XVPYNFz2huCBZPwcEoESWMQxwr+OLf64V9+RGvc8JrD2AeScL+vswAdZLzFHf+dr Ga12e0dpcJJe2LTBFL0nbw4yRwKBgQCWSUTU56DXVbpz1Hq/hzJC2B6iqLbdmUQX Wfs5B/Akc1EhkZL3SN2AqpUlhKOSILwD+P6WqoP/G9cezOUBrA8hKv2pxkOUSprn R3xHP5/YPwczZUQHrIgs8NzJfwDOQlvjsxO2oJkW8SfXGcVVeIHPjAEmVnhGJTXJ NnBka+Rb9wKBgHj7buX4+crqgp86oxWSH6cVkyRxU/ICDJ4OqJRV9EO3o4L8svvZ 8xOdzewE2qSui4+tN/yvY/YFFxdLvvW+V/R/2HuJ6TaO9gjArkp6v7SqoQNhlH/N LOoJZhb2ZPFTczCJICA6FeuPXnfL5QDkl5CsEn8kHaDxEJSbRF2j4nnVAoGALCeU wJTZTcsTP+risZkQLFGBFrtJFuxr9Axs4kGxzZPP93Pk4SCYa7Ayp9ZDlLBnbSdf 7XZl17MfTh5W/lnGDDGsW5Az1MLipib7nZdU6F0ESZZsGXEYhVOzGsRkwTT/+HNp zFN9Bx+NXAZnUwhX41m4EMKBDeLq3ZZQCUEl09sCgYBjOjnh9wEBC4YGzJ/5IMmV yC4P3toCBZikqtUDdNIbsOoPtR+GN00GF/EoZe+vzbLhH9EY9aSCYJrno2elOAMj L+f5RaKkEVokcdEQkJhbT6kN39WuPKF3wJJfGKypd914kbLeA78MCK9v08rVCvzq W6DXjXPz45ts9W9wxZ571w== -----END PRIVATE KEY-----
MartinLenord
commented
5 years ago @RohitAShirsath what does your implementation of LTI\Database look like? are you just trying to get the example code working or are you using the library in your own code? (i would also advise not putting your private key in public comments as it would allow people to do impersonation attacks)
Rohi145
commented
5 years ago @Martyn, We are using your library in our project. But signature verification is not done properly. Also, Thanks for your advice. But these are our testing account keys. We are using these keys on the local server.
MartinLenord
commented
5 years ago The signature is done here https://github.com/IMSGlobal/lti-1-3-php-library/blob/master/src/lti/lti_message_launch.php#L287 could you add in some logging to check what is in $this->request['id_token'] and $public_key['key'] at that point?
Rohi145
commented
5 years ago @Martyn, Is signature verification done on your side using our credentials?
We already go through that process. But we are getting the same error at each time.
MartinLenord
commented
5 years ago The library handles validating the signature, for example
$launch = LTI\LTI_Message_Launch::new(new Example_Database())->validate();
When validate is called the library will use the Example_Database to identify the registration, then will fetch the public key from the key_set_url provided and validate the signature. There isn't currently a way to bypass the libraries signature validation. So if you have already validated the JWT manually, the library will do it again
Rohi145
commented
5 years ago @Martyn,
We are passing key set and priveate key in JWT.But validation failed using that keys.
we are missing something?
MartinLenord
commented
5 years ago You do not validate the id_token with your private key, you validate it with the platform public key that matches the KID from the id_token that is fetched from the key_set_url
The private key is used to sign requests that the tool makes to the platform
Rohi145
commented
5 years ago @MartinLenord
Yes, we agree with that. When we validate token with the public key, we are getting Signature verification failed error.
Can you please guide me about that?
MartinLenord
commented
5 years ago Can you send me the id_token you are trying to sign and the public key you are using to sign it
MartinLenord
commented
5 years ago hmm, interesting, that JWT is signed with your private key not blackboards, did you resign the request?
MartinLenord
commented
5 years ago Why are you re-signing the request? You can't resign a request from a platform, because you don't know the platform's private key, you can only validate it with the public key
Rohi145
commented
5 years ago @MartinLenord ,
Means you want to say that,do not use blackboard credentials for JWT authentication?
So what are the use of keyset and private key provided by blackboard to us?
Because we are using that one for JWT creation and authorization.
MartinLenord
commented
5 years ago Each party (tool and platform) has two keys, a public key and a private key. The private key is used to sign requests, the public key is given to the other party so that they can validate that a message is really coming from the first party.
Blackboard gives you a private key for you to sign requests that are going back to blackboard with, it also gives you a JWKS url so that you can get their public key to validate that the incoming request is coming from them.
You only sign outgoing requests with your private key (like requesting a service access token or signing a deep linking response)
Rohi145
commented
5 years ago @MartinLenord We are doing the following steps please tell us we are correct or not:
Now blackboard provides us private key, keyset url. 2.We are using that private key for JWT creation and validate with the public key generated by keyset url. Also we are using the private key for access token generation. But also not getting any access token using that private key. Please go through these steps and tell me what is wrong in that.
Also,If platform private key is used for JWT authorization .So how to get a platform private key that is decode with key set url.
Rohi145
commented
5 years ago @MartinLenord
keys.php that is included in return.php is also not existed.
And if we are using your tool private key (i.e. defined in private.key file) in return.php file then its JWT signature is validated using JWK key set. Because of that, we confused about credentials.
Hi Martyn,
When we are using your or other private key for OIDC authentication its working fine...when we are using blackboard private key then its unable to validate oidc...Can you please help me in this scenario?