search

Cvmcosta / ltijs

Turn your application into a fully integratable LTI 1.3 tool provider.
https://cvmcosta.github.io/ltijs/
Apache License 2.0
305 stars 70 forks source link

Ltijs queries tokens with GET not POST from keyset url #244

Open jlsiewert opened 5 days ago

jlsiewert commented 5 days ago

Describe the bug Launching a Deep Link from Moodle fails with an invalid token error.

Expected behavior I verified the setup on both the Moodle and Tool side.

Provider logs

  provider:database Database connected +0ms
  provider:database Database connection open +0ms
Ltijs started in serverless mode...
  provider:main Receiving request at path: /lti/login +7s
  provider:main Receiving a login request from: <MOODLE_URL>, clientId: EhdzqulqmXxNDkw +1ms
  provider:main Redirecting to platform authentication endpoint +11ms
  provider:main Target Link URI:  <TOOL_URL>/lti/app +0ms
  provider:main Login request:  +1ms
  provider:main {
  provider:main   response_type: 'id_token',
  provider:main   response_mode: 'form_post',
  provider:main   id_token_signed_response_alg: 'RS256',
  provider:main   scope: 'openid',
  provider:main   client_id: 'EhdzqulqmXxNDkw',
  provider:main   redirect_uri: '<TOOL_URL>/lti/app,
  provider:main   login_hint: '42271',
  provider:main   nonce: 'e4e69nylqt4brl7e7fdhgt5fe',
  provider:main   prompt: 'none',
  provider:main   state: 'a53a8c7c450bd9fc9576e2f7da4b41adca56cc8129ea3fe27f',
  provider:main   lti_message_hint: '{"launchid":"ltilaunch_ContentItemSelectionRequest720719779"}',
  provider:main   lti_deployment_id: '163'
  provider:main } +0ms
  provider:main Receiving request at path: /lti/app +190ms
  provider:main Path does not match reserved endpoints +0ms
  provider:main Cookies received:  +0ms
  provider:main [Object: null prototype] {
  provider:main   statea53a8c7c450bd9fc9576e2f7da4b41adca56cc8129ea3fe27f: 'https://moodle.ruhr-uni-bochum.de'
  provider:main } +0ms
  provider:main Received idtoken for validation +0ms
  provider:auth Response state: a53a8c7c450bd9fc9576e2f7da4b41adca56cc8129ea3fe27f +0ms
  provider:auth Attempting to validate iss claim +0ms
  provider:auth Request Iss claim: <MOODLE_URL> +0ms
  provider:auth Response Iss claim: <MOODLE_URL> +0ms
  provider:auth Attempting to retrieve registered platform +0ms
  provider:auth Retrieving key from jwk_set +16ms
  provider:main Deleting state cookie and Database entry +5s
  provider:auth HTTPError: Response code 400 (Bad Request)
  provider:auth     at Request.<anonymous> (/workspace/node_modules/got/dist/source/as-promise/index.js:118:42)
  provider:auth     at process.processTicksAndRejections (node:internal/process/task_queues:105:5) +5s
  provider:main Passing request to invalid token handler +4ms

Ltijs version

NodeJS version

Platform used

Additional context

it looks like Ltijs is attempting to get the JWK key through a GET request to the keyset url (<MOODLE>/mod/lti/token.php). I would expect Moodle to respond with a JSON (like canvas does, but it looks like Moodle now expects a POST request to receive the tokens. In Ltijs, token URLs are always resolved with a GET request in src/Utils/Auth.js#L99. It looks like that is a bug.

siddrcrelias commented 1 day ago

Hello @jlsiewert No this is not a bug, coz I am using this same library and I have customers in PROD using this with their LMS ( Moodle, Avendoo ) and everything is LIVE :) I have an article which I wrote when I was breaking my head on ltijs last year https://medium.com/@debu2in/implementing-ltiv1-3-using-ltijs-1ab38ab87567 Please do read and check if it helps Also, I would like to help with this I am available on discord siddharthroyc_97017

From what I figured is that I always needed ngrok https tunelling my local port on which LTI app was running and a LMS hosted some domain on https for all this to work , esp the auth part, that is the spot where I can see you are stuck :)