-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LTI 1.3 platform implementation #1175
Conversation
5b7d4f9
to
d6051a4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not find any real issues in the code just from looking at it. But I did add some minor comments.
Thanks @ihalaij1 , fixed the issues you pointed out. |
605fb08
to
82196e3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have reviewed most of the code thus far. I have a few fairly small comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Additional comments from me. I have now reviewed all the code.
1ba457f
to
841c4f6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great changes! There are still a couple things left
@lainets @Mankro : now the bearer token to jwt tokens change is pushed, if you want to take a look. I made it a separate commit for clarity, but if everything looks ok, I can squash everything, and then it is ready for merging on my behalf. |
I otherwise approve but note that a JWT token cannot be revoked, so we do not want the expiry time to be long. It seems the OIDC server defaults it to 3600 seconds (60 minutes) which is probably fine but I'd like it to be explicitly set just in case (I assume the LTI 1.3 spec allows changing it). What do you think? Should we set it explicitly or let the library decide? |
I don't have strong opinions about the expiry time, but the LTI relationships are quite static and long-term (you configure it once, and then the service is accessible probably for at least several months), so I don't see one-hour expiry time as big issue. The expiry time would be a new settings variable, then? |
The concern with the expiry time is not the service itself but any bad actors that may get their hands on the token, e.g. by hacking said service. While we can remove the service from our platform, they would still have a valid token that can be used until the expiry time. Technically, we could check if the token's owner is still in the lti service database when checking the permissions but I'm not sure if that is worth it. Yes, it would be a new settings variable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good overall. I still have a few small comments.
I could not not figure out how to adjust the expiry time in this case with this API. It is possible to override the "exp" claim, but the OAuth2 also has the "expires_in" parameter in message header that still is 3600. Note that all examples in OAuth2 specification also use 3600, so apparently they don't consider that such dangerous value. |
Based on https://github.com/oauthlib/oauthlib/blob/d4b6699f8ccb608152b764919e0bd3d38a7b171f/oauthlib/openid/connect/core/endpoints/pre_configured.py#LL35C12-L35C12, the expiry time is set with |
Yes, that was it. Thanks! Now updated according to latest comments. Squash now, maybe? |
3bbc3a6
to
c071a04
Compare
By the way, I don't know why this linter message comes up here but not in master:
I haven't touched selenium tests in any way. |
Seems like |
Implement the basic LTI 1.3 platform functionality according to the LTI Core Specification and the Security Framework specification. Also includes parts of the Assignment and Grade Services specification, allowing the LTI tool to submit points to A+ platform. Closes apluslms#1149.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wonderful, I will merge this now!
Description
What?
This pull requests implements basic LTI 1.3 platform functionality according to the Core specification and Security Framework specification. It also includes parts of the Assignment and Grade Services specification, allowing the LTI tool to submit points to A+ platform.
Changes have been distributed in the following sections of in the code:
Authorization contains additions related to bearer token management. Also there is a new database table for storing active bearer tokens. Expired bearer tokens are cleaned up from the database once an hour.This was later changed to use signed JWT tokens, that do not need separate table in database.Notes:
Small changes are needed also in RST tools and gitmanager to parse the LTI 1.3 related exercise parameters.
This is tested against Moodle 4 as LTI 1.3 tool, and Koodisäilö's recent LTI 1.3 modifications.
Why?
[ANSWER HERE]
How?
[ANSWER HERE]
Fixes #
Testing
Remember to add or update unit tests for new features and changes.
What type of test did you run?
[ADD A DESCRIPTION ABOUT WHAT YOU TESTED MANUALLY]
Did you test the changes in
Think of what is affected by these changes and could become broken
Translation
Programming style
Have you updated the README or other relevant documentation?
Is it Done?
Clean up your git commit history before submitting the pull request!