openwebwork / webwork2

Course management front end for WeBWorK
http://webwork.maa.org/wiki/Main_Page
Other
146 stars 165 forks source link

Incorrect message when LTI auth fails. #2068

Open somiaj opened 1 year ago

somiaj commented 1 year ago

Related to the issue created in #2050 and fixed in #2060, my LTI configuration for one of my courses broke. Basically I lost all LTI configuration settings due to the LTI configuration tab being missing and the course configuration tool cleans up settings in simple.conf it doesn't know about (maybe it should just comment them out so they don't get lost? but that is another issue). As a result LTI auth no longer worked in the course (note I use a custom LTI configuration tab so my shared secrete was set there and that is what was lost)

The error message my students were getting wasn't that authentication was denied, instead it gave them an error that the assignment must be accessed through their LMS first (even though they were accessing the set through the LMS). This issue is to point out that in some cases the wrong error message is displayed when LTI auth fails.

somiaj commented 1 year ago

I will see if I can find a way to reproduce this later tonight on a test server, but just putting this here to not forget about the issue.

somiaj commented 1 year ago

Here is a simple way to reproduce the issue.

First configure a system and get LTI 1.1 authentication working, and setup a link the the LMS that goes directly to a problem set, https://host/webwork2/CourseID/SetID. When the LTI is setup correctly the link should take the user directly to the set page. Now edit course.conf and make shared secrete to be invalid, $LTI{v1p1}{BasicConsumerSecret} = 'BADSECRET', then try to login again from the LMS. In this case you get the message, "The course CourseID uses an external authentication system (LMS_LINK). Please return to that system to access this course."

Instead the error message should be something about invalid authentication / unable to login.

In this case you are trying to login with a valid user, the only issue is the ConsumerSecret is invalid. Looking at the LTI debug info, the user is correctly identified, it is just one of the final steps of verification with the shared secret that fails. My guess is when this fails it doesn't fully reset the authenatication which then leads to an incorrect message showing.