search

oat-sa / lib-lti1p3-core

PHP library for LTI 1.3 Core implementations as platforms and / or as tools.
GNU General Public License v2.0
33 stars 17 forks source link

When requesting an access token, the client assertion JWT iss and sub must both be the OAuth 2 client_id #193

Closed kochen closed 2 weeks ago

kochen commented 1 month ago

Hello, we have made several connection from various LTI Platforms (LMSs) to our LTI Tool, including (among other things):

In a recent integration, we encounter an error message coming from the LTI Platform, indicating that an access token was not obtained. Further investigation with the developers of the Platform, we discovered that the iss and sub sent on the access token request are not matching the expected values.

Looking at the code, and specifically the LtiServiceClient, it's clear that the iss is set for the audience and the sub is set for the client_id:

                    MessagePayloadInterface::CLAIM_ISS => $registration->getTool()->getAudience(),
                    MessagePayloadInterface::CLAIM_SUB => $registration->getClientId(),

Reading the LTI documentation, it is stated that:

When requesting an access token, the client assertion JWT iss and sub must both be the OAuth 2 client_id of the tool as issued by the learning platform during registration.

We tested it out and indeed setting both the iss and the sub to the client_id resolved the issue, but also did not affect any other existing connection!

Should this be indeed fixed here?

M.

kochen commented 3 weeks ago

@wazelin could you take a look at this?

wazelin commented 2 weeks ago

Resolved in https://github.com/oat-sa/lib-lti1p3-core/releases/tag/7.0.3.

Thank you for your contribution, @kochen! Much appreciated.