Closed danhammari closed 2 years ago
Thanks for reporting this; I can see it is an issue. I'll fix this in the next release.
As an aside, do you know why the platform is choosing not to send the client ID and/or deployment ID in the initiate login request?
This may be an issue with how the LTI security specification is written.
When a platform begins the third-party initiated login process the only required parameters are iss
, login_hint
, and target_link_uri
:
https://www.imsglobal.org/spec/security/v1p0/#step-1-third-party-initiated-login
5.1.1.1 Step 1: Third-party Initiated Login
When a user wants to launch into a Tool, the Platform will start the OpenID Connect flow by redirecting the User Agent (UA) to the 3rd party initiated login end point. The redirect may be a form POST or a GET - a Tool must support either case, with the following parameters.
iss
REQUIRED. The issuer identifier identifying the learning platform.
login_hint
REQUIRED. Hint to the Authorization Server about the login identifier the End-User might use to log in. The permitted values will be defined in the host specification.
target_link_uri
REQUIRED. The actual end-point that should be executed at the end of the OpenID Connect authentication flow.
NOTE: Other parameters MAY be supplied to provide important context for a specific message exchange i.e. as defined in the corresponding IMS specification.
Yes, I accept that it is quite valid for the client ID and deployment ID to be omitted from the request; I was just curious to find out if you knew why the platform chooses to do so. Since the values are known and shared with the tool there is no obvious (to me) reason why they would not be passed to make its life easier.
But I will update the library to allow for this.
Update included in latest release (4.7.0). Thanks.
I'm running into trouble with the
lti2_nonce
table'sconsumer_pk
field. Here is the workflow:iss
ashttps://schoology.schoology.com
fromPlatformId
receives this as$platformId
while$clientId
and$deploymentId
are nullfromPlatformId
callsDataConnector
loadPlatform
method using only the$platformId
valueplatform
withrecordId
value 25 and builds anlti2_nonce
entry with indexconsumer_pk
25lti2_nonce
value asstate
in payloadiss
,aud
, anddeploymentId
and also returnsstate
noncefromPlatformId
receives all three values as$platformId
,$clientId
, and$deploymentId
fromPlatformId
callsDataConnector
loadPlatform
method using all three valuesplatform
withrecordId
value 36 since it found an alternate consumer signature in thelti2_consumer
tablestate
claim that was returned, but cannot since theconsumer_pk
value is now 36 instead of the 25 that was used when creating thelti2_nonce
recordThe
lti2_consumer
table seems to be built with the intention of allowing multiple instance of aplatform_id
value, provided that an alternate composite key of fieldsplatform_id
,client_id
, anddeployment_id
remains unique. The problem becomes disambiguating multiple records when only theiss
field is provided as a lookup. In particular, thelti2_nonce
table relies on the correct foreign key value ofconsumer_pk
when validating the returnedstate
claim.My solution right now is to alter the
DataConnector
loadPlatformNonce
method and have it ignore theconsumer_pk
column when validating thestate
nonce that the platform returns:BEFORE:
AFTER:
Let me know if this is not the correct direction to go. I imagine I will run into this issue repeatedly when registering platforms that host multiple tenants. As in the example above, Schoology will always send the same
iss
claim value to represent its platform, but each tenant will likely have its ownaud
claim (clientId
), and multipledeployment_id
claims. I can understand registering each tenant customer on the platform with its ownclient_id
value, but hesitate to also record a uniquedeployment_id
as well. Would it perhaps be okay to alter theDataConnector
loadPlatform
method and make it so thedeployment_id
field is not considered when searching for a platform entry in thelti2_consumer
table?