DimitriB01
commented
1 year ago - You can get the Public-Key (HASKI) with MongoDB
Closed DimitriB01 closed 1 year ago
DimitriB01
commented
1 year ago 
juli-txt
commented
1 year ago JWT is an open standard to transmit information securely between parties as an compact JSON object. By applying a digital signature the message and its containing information can be verified and trusted. JSON Web Tokens are therefore used for authorization and secure information exchange [1].
JWTs are a combination of the three parts „Header“, „Payload“ and „Signature“ seperated by dots with the following format [1]: HEADER.PAYLOAD.SIGNATURE
The header consists of two parts and is Base64Url encoded. First, the algorithm which is used for encryption and second, the token type [1].
Example:
{ „alg“: „HS256“, „typ“: „JWT“ }
The payload is Base64Url encoded and contains claims which represent statements about an entity like the user. Additionally it can provide supplementary data. There are three types of claims: Registered, public and private claims. Registered claims are predefined and not mandatory but recommended. They can be seen here: https://www.rfc-editor.org/rfc/rfc7519#section-4.1. Public claims on the other hand can be defined by those who are using JWTs. To avoid collision they should be registered here: https://www.iana.org/assignments/jwt/jwt.xhtml. Lastly private claims are custom claims both parties agreed on [1].
The Signature is used to verify that the message wasn’t changed along the way and the sender is who it pretends to be. Furthermore it is created by signing the encoded header, encoded payload and a secret if the HMAC algorithm was used. Alternatively a RSA or ECDSA public/private key pair can replace the secret [1]. To decode, verify and generate JWTs following website can be used: https://jwt.io/.
If a tool in the LTI environment wants to use a LTI Service, it must request an access token from the Authorization Service to affirm its identity. This can be done by providing a JWT with its clients credentials to the Authorization Service [4]. Furthermore LTI Messages sent from the Platform are OpenID Tokens and messages from the tool are JSON Web Tokens [5]. Access tokens are defined in OAuth and can be JWTs or a random string. ID Tokens on the other hand are defined in OpenID Connect and must always be JSON Web Tokens [6]. To confirm the content and the JWT as a whole a confirmation method is needed [2]. Such method checks if the presenter owns a proof-of-possession key [2]. In case of the ltijs library JSON Web Keys (short jwk) are used for confirmation [3].
[1] https://jwt.io/introduction
[2] https://www.rfc-editor.org/rfc/rfc7800.html
[3] https://www.iana.org/assignments/jwt/jwt.xhtml#confirmation-methods
[4] https://www.imsglobal.org/spec/lti/v1p3/impl/
[5] https://www.imsglobal.org/spec/lti/v1p3/#platforms-and-tools
[6] https://oauth.net/id-tokens-vs-access-tokens/
The communication between Moodle and HASKI needs a JWT-Token to work together. In this Issue we want to understand the functionality of this Token and generate one ourselfs.