-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(lti13): Reintroduce lti13 support #134
feat(lti13): Reintroduce lti13 support #134
Conversation
PyJWT offers extended verification options to verify / validate IMO, this is the most elegant way to do much of the non-LTI specific validation. |
Nonce validation and replay attack mitigation (#127) is implemented following the OpenID Connect Implementation Notes. |
@consideRatio I'm sorry 🙏 , this became a huge PR. It mostly adds additional (sometimes required) validation steps defined in the OICD Core specs. Some of id_token validation is done by I have tested f75ae0f on our staging deployment and it works. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing work on this @martinclaus!!! This looks great to me overall and my comments are just smaller details! I reviewed this commit by commit, but not the initial commit reverting what was there before, and couldn't find issues in the changes!
- I suggested a version bump of dependencies to ensure tests pass and that we don't get outdated.
- I suggest we remove
LTI13_
environment variables and force users to configure this withc.LTI13Authenticator.issuer
directly instead of partially supporting also doing it via environment variables. I think this can reduce the complexity of maintenance and documentation overall long term, and reduce the complexity for someone to understand configuration of a jupyterhub using this authenticator. I believe that the main value of allowing for environment variables are for passwords etc, but there aren't any secrets configured for this authenticator right?
@minrk @manics I think this looks very solid overall, what do you think? I'd appreciate having at one additional review pass on this before merging it.
Co-authored-by: Erik Sundell <erik.i.sundell@gmail.com>
Also remove configuration via env variables.
Done. I still leave the option to use env variables in examples/jupyterhub_config_lti13.py. |
@martinclaus this is amazing work! I think it looks really thorough and well thought through! I asked Min to have a look just now who thought it looked fine as well, so let's go for a merge at this point. Thank you soo much for your efforts into this!!!! ❤️ 🎉 🌻 |
@martinclaus if you think it makes sense to go for a release or similar at this point in time or later, just open a changelog PR and ping for review. |
I will take a look through the documentation once again, to make sure that it is consistent with the code base before preparing the next release. |
This PR will reintroduce LTI 1.3 support. In particular, it will only implement support for the login flow initiated by a Resource Link Launch Message sent by an LMS platform. This message will trigger an OpenID Connect Implicit flow for authentication which is initiated from a third party.
LTI Deep Linking will not be implemented.
Required handlers:
GET
andPOST
)POST
)Note: since we are not sending tool-originating messages, there is no need for an
JWKS
endpoint exposed by the authenticator.Validation:
state
matches current state of browser session (https://www.imsglobal.org/spec/security/v1p0/#step-4-resource-is-displayed)id_token
iss
must exactly match the Issuer Identifier for the Platformaud
must contain the OAuth 2.0 client_id of the tool (reject with404
)aud
, theazp
claim must be presentazp
is present, it must match the toolsclient_id
alg
claim should beRS256
exp
must be in the futureiat
claim valuenonce
must be the same as used in the authentication requestnonce
must not be received before (within a reasonable time window)