I am developing an LTI 1.3 tool to work with Moodle. Currently whenever I try and obtain an access token from mod/lti/token.php I get back
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDVPPD4jbeRca4gEWxtgAfKHVw2qvYbwMyICywQpsYVd+CyK0s9
8yYq6yyvwB4pnd6TpnnoqYaoZZSjKuZryzIZdP8UwvNWHLfD+lzujw6Vm0CRwGZE
4zR0q8M3f8k4QTgnATvrN+p3zWOeT+kVYk/YYunUf8piqSyTMJyLEaOeOwIDAQAB
AoGAEBEZbwDulezk29G0Q8Pj0lzH9+6FwK2UO6Pr3A1U24U+zu3oK3DIrW8u3Mcy
/pvAi4t9oAQ1+zY8LtcqqXCUA6e2wrp2M835ULfsfPWuidCxEB0vbUeZDrG5ZaND
hZKql+eiAtmhWM9SFyA3lYj0p4xkh1K1f3MHsLbdFu7OUiECQQD8YYaCKj+Gi9ft
87pmpB4JTC+9AaUrRr6MEMIyPImYCHyX/aJwv2W8pcp2Y2Ye9QQyTdHjoNAcCXnt
QHixy8SDAkEA2Eu5h8MPht8oo+/YfavrODiQ+FKO+NF+Z3FgbYc/Su1hgiHZcCps
9pDokiZOfxFkrGf5hnMT0eziYnm8hy3B6QJAPtgOBVV90gP6da8OCEbvj8Mf1AGX
3knUYs49fQLkBC6Az9wBWe/e5nWmD4q6wBSkwd3s2LCPgZu+d5xpMWSa/wJBAKlO
/TeMNMc6P7GzuR8GR+WGQdRfq5KRSgTm9rhFugGIt18J6A6o5wpKfAKLAb7teoSK
DwRzZ/xXFQ5IhI67/qECQBHNeDUm5Ly/QEFIuzsl7rkJR6Xjl/Cpytj7ue1OP01t
BpDtRzKXRPllZ8iH8assGCAukYfxHgs0sWpS9hoOg60=
-----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVPPD4jbeRca4gEWxtgAfKHVw2
qvYbwMyICywQpsYVd+CyK0s98yYq6yyvwB4pnd6TpnnoqYaoZZSjKuZryzIZdP8U
wvNWHLfD+lzujw6Vm0CRwGZE4zR0q8M3f8k4QTgnATvrN+p3zWOeT+kVYk/YYunU
f8piqSyTMJyLEaOeOwIDAQAB
-----END PUBLIC KEY-----
Hi,
without knowing a little more about the exact params (client_assertion, client_assertion_type, grant_type, scope) that are being passed in the mod/lti/token.php
request, it is hard to imagine what's failing exactly.
Given the error (invalid_client), it seems that the problem must be somewhere within this block of code:
So, surely there is where you should add some debugging, like error_log()
calls to see them in your web server error logs.
Coincidentally... this week I've been testing some new LTI code (membership support...) involving the use of some tools out there for testing purposes and haven't got that "invalid_client" error myself (and I was using TP's public keys).
If you find yourself unable to find the exact cause and fix it... you always can fill a new issue in the Tracker, providing as many details as possible, in order to make the exact environment and, hopefully, the problem easy to reproduce.
Also, I've performed some searches in the Tracker to see if something similar has been already reported but haven't found anything, so far.
Ciao
But is there some kind of security measure thats in play? Does it check the file against something to ensure its not edited?
Not that I can imagine, I (any dev) does that all over the time and the files are just "recompiled" and processed. Maybe there is some extension in your site configured to don't accept modifications, or requiring PHP's opcaches to be cleaned... but I really cannot imagine anything.
Maybe an alternative approach that you could follow is to install a moodle instance locally, in your computer, then use ngrok to make it accesible from outside (from your tool provider) and try to reproduce/debug locally.
Of course, the Tracker way commented above, is still available, given all the details to reproduce the problem are added there.
Ciao
I tried to add to the tracker, it keeps telling me: Dear Moodler, before creating a new issue you need to demonstrate that you have searched among the existing issues to see if it's already been filed. Please find a similar issue from among the open issues and either start watching it or vote for it.
Ive searched for a similar issue and there were none. But it still will not let me add a new one.
In the mean time I have attached a postman script showing the exact problem I am having.
either start watching it or vote for it
Try this for some other issue that might be relevant to you.
I was able to get access to the server from the SA, and using a native editor I was able to add additional debugging code:
This is the error message I get:
if ($ok) { | |
$error = 'invalid_client'; | |
$tool = $DB->get_record('lti_types', array('clientid' => $claims['sub'])); | |
if ($tool) { | |
$typeconfig = lti_get_type_config($tool->id); | |
if (!empty($typeconfig['publickey'])) { | |
try { | |
$jwt = JWT::decode($clientassertion, $typeconfig['publickey'], array('RS256')); | |
$ok = true; | |
} catch (Exception $e) { $error = 'error message: ' .e->getMessage(); |
|
$ok = false; | |
} | |
} | |
} else { | |
$ok = false; | |
} | |
} |
Wow, that's quite a strange year (20192632250)! Sure that implies some of the time claims to fail.
Now the question is... how has JWT ended with that wrong year in the payload?
Or some of the systems have a wrong date (not likely, but possible) or, at some point, the date/payload is becoming corrupted (or being created with a wrong date).
While I'm not an expert at all... I'd try to debug in the provider how those JWT look like, just to verify if they are broken both sides... because of sure Moodle is, one of, or 1) receiving it already incorrect or 2) breaking it on decode. We need to know which one is the case.
I'm sorry I cannot share any other interesting idea... just compare the decoded content of the token @ origin and in the server, to know where the problem comes from.
Ciao
I am trying to work on the same Token-based authentication and using JWT token, but can not find where to start.
Can you please help me where I should start looking for? Which Protocol on Moodle?
If you are looking for the code moodle uses then you can find it on github. Moodle is written in php if thats what you mean by protocol.
Thanks for reply.
No. I meant there are several options available in moodle, like CAS, LDAP, IMAP etc.
Also, I tried to go via https://docs.moodle.org/dev/Creating_a_web_service_client
But, couldn't find any idea where can I go and start working on for the JWT token method.
One of my other web application has created JWT token and given me the key. I need to sign in the user into Moodle.
Can not understand where to start with? At which place I can get the code.
I'm not aware of any published authentication plugins that implement JWT - searching in the plugins DB for JWT doesn't show any results ( https://moodle.org/plugins/?q=jwt ).
It is certainly possible to create an authentication plugin that works with JWT, as I've seen it done, but you're probably going to need to write code (or find someone to write code) to do it - https://docs.moodle.org/dev/Authentication_plugins might be a starting point (or looking at any of the examples in the standard auth/ directory).