search

oat-sa / lib-lti1p3-core

PHP library for LTI 1.3 Core implementations as platforms and / or as tools.
GNU General Public License v2.0
33 stars 16 forks source link

support `aud` Claim in LTI messages to be an array #144

Closed ihipop closed 2 years ago

ihipop commented 3 years ago

https://www.imsglobal.org/spec/security/v1p0/#id-token

aud REQUIRED. Audience(s) for whom this ID Token is intended i.e. the Tool. It MUST contain the OAuth 2.0 clientid of the Tool as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case-sensitive strings._ In the common special case when there is one audience, the aud value MAY be a single case-sensitive string.

This library makes it always a special case, and only support SINGLE value aud Claim when OidcAuthenticator and can't do any overwride

I can not find any example on IMS site about aud that is not an array EG: http://www.imsglobal.org/spec/lti/v1p3/#e-full-example-resource-link-request

wazelin commented 2 years ago

That is correct, @ihipop.

The standard allows to set the value as a single string in such a case, this payload therefore is still up to the standard. The library does support multiple values when it comes down to generating a tool-originating message, for instance, which has to have multiple aud values.

e.g. https://github.com/oat-sa/lib-lti1p3-core/blob/master/src/Service/Client/LtiServiceClient.php#L207-L210