Should the Platform handleAuthenticationRequest() method send an id_token?

[danhammari]

Hello,

Does this LTI-PHP library include the code for a Platform to generate an id_token when using the handleAuthenticationRequest() method?

The 1EdTech Security Framework defines the following workflow based on the OIDC authentication exchange:
https://www.imsglobal.org/spec/security/v1p1#openid_connect_launch_flow

1. the Platform starts a login request by sending a message to the Tool's third-party-initiated login endpoint
2. the Tool sends an authentication request with login_hint and redirect_uri to the Platform's OIDC Authorization endpoint
3. the Platform sends state and id_token values to the Tool's registered redirect_uri endpoint

The Platform handleAuthenticationRequest() method generates an HTML form with JavaScript to automatically submit the HTML form. However, I only see the state attribute being attached to the HTML form with an input tag. I do not see an id_token input being created. Is this an exercise that is left to the user to add to the form?

Sincerely,
Dan

[spvickers]

Yes, the id_token parameter is added by the code automatically in the call to the addSignature method. If your implementation is not adding this parameter, perhaps there is a cookie issue. Also check your PHP error log file for clues.

[danhammari]

Thank you for your prompt response. I dug further and found that I had swapped my public and private keys in my implementation of the platform object. The addJWTSignature() method has a try...catch block around the $jwt::sign() call that was intercepting the error message and clearing the $params array.