Closed screambeard closed 4 years ago
Hello @screambeard , thx for reporting this issue.
I'm currently working on a new major core release 3.0.0
, this will be included.
I'll ping you here once available.
@screambeard: Released in 3.0.0
=> https://github.com/oat-sa/lib-lti1p3-core/releases/tag/3.0.0
According to the IMSGlobal spec (https://www.imsglobal.org/spec/security/v1p0/#using-json-web-tokens-with-oauth-2-0-client-credentials-grant): "...the authorization server MAY instruct the Consumer to use the token endpoint URL of the authorization server as a value for an aud element..."
Not all platforms do this. For example, Brightspace has a separate audiance value. Brightspace OAuth2 Audience is https://api.brightspace.com/auth/token and its Brightspace OAuth2 Access Token URL is https://auth.brightspace.com/core/connect/token
In the current implementation of the ServiceClient the
aud
is set equal to theplatform->getOAuth2AccessTokenUrl()
value. I propose to set it equal to theplatform->getAudience()
value.The piece of code to be changed is: https://github.com/oat-sa/lib-lti1p3-core/blob/b6d1e061cba84a5ca50ec934be8151f5f1f2e7e3/src/Service/Client/ServiceClient.php#L180