search

Cvmcosta / ltijs

Turn your application into a fully integratable LTI 1.3 tool provider.
https://cvmcosta.github.io/ltijs/
Apache License 2.0
300 stars 67 forks source link

clientId is used as iss #108

Closed lenacom closed 3 years ago

lenacom commented 3 years ago

Describe the bug this line looks like a bug https://github.com/Cvmcosta/ltijs/blob/master/dist/Utils/Auth.js#L309

static async getAccessToken(scopes, platform, ENCRYPTIONKEY, Database) {
    const platformUrl = await platform.platformUrl();
    const clientId = await platform.platformClientId();
    const confjwt = {
      sub: clientId,
      iss: clientId,
      aud: await platform.platformAuthorizationServer(),
      jti: encodeURIComponent([...Array(25)].map(_ => (Math.random() * 36 | 0).toString(36)).join``)
    };

Expected behavior

 iss: platformUrl,
Cvmcosta commented 3 years ago

Hello, this is correct according to the IMS LTI Specification:

Screenshot from 2021-05-13 08-31-34

In this case, both identifiers are the ClientID, since the Tool is the one issuing the JWT. The Client ID is the tool's identifier for that LMS. The platform URL is the LMS's identifier, so it does not apply in this scenario.