feat(lti13): Reintroduce lti13 support #134
Conversation
|
PyJWT offers extended verification options to verify / validate IMO, this is the most elegant way to do much of the non-LTI specific validation. |
|
Nonce validation and replay attack mitigation (#127) is implemented following the OpenID Connect Implementation Notes. |
|
@consideRatio I'm sorry 🙏 , this became a huge PR. It mostly adds additional (sometimes required) validation steps defined in the OICD Core specs. Some of id_token validation is done by I have tested f75ae0f on our staging deployment and it works. |
There was a problem hiding this comment.
Amazing work on this @martinclaus!!! This looks great to me overall and my comments are just smaller details! I reviewed this commit by commit, but not the initial commit reverting what was there before, and couldn't find issues in the changes!
- I suggested a version bump of dependencies to ensure tests pass and that we don't get outdated.
- I suggest we remove
LTI13_environment variables and force users to configure this withc.LTI13Authenticator.issuerdirectly instead of partially supporting also doing it via environment variables. I think this can reduce the complexity of maintenance and documentation overall long term, and reduce the complexity for someone to understand configuration of a jupyterhub using this authenticator. I believe that the main value of allowing for environment variables are for passwords etc, but there aren't any secrets configured for this authenticator right?
@minrk @manics I think this looks very solid overall, what do you think? I'd appreciate having at one additional review pass on this before merging it.
Co-authored-by: Erik Sundell <erik.i.sundell@gmail.com>
Also remove configuration via env variables.
Done. I still leave the option to use env variables in examples/jupyterhub_config_lti13.py. |
|
@martinclaus this is amazing work! I think it looks really thorough and well thought through! I asked Min to have a look just now who thought it looked fine as well, so let's go for a merge at this point. Thank you soo much for your efforts into this!!!! ❤️ 🎉 🌻 |
|
@martinclaus if you think it makes sense to go for a release or similar at this point in time or later, just open a changelog PR and ping for review. |
|
I will take a look through the documentation once again, to make sure that it is consistent with the code base before preparing the next release. |
This PR will reintroduce LTI 1.3 support. In particular, it will only implement support for the login flow initiated by a Resource Link Launch Message sent by an LMS platform. This message will trigger an OpenID Connect Implicit flow for authentication which is initiated from a third party.
LTI Deep Linking will not be implemented.
Required handlers:
GETandPOST)POST)Note: since we are not sending tool-originating messages, there is no need for an
JWKSendpoint exposed by the authenticator.Validation:
statematches current state of browser session (https://www.imsglobal.org/spec/security/v1p0/#step-4-resource-is-displayed)id_tokenissmust exactly match the Issuer Identifier for the Platformaudmust contain the OAuth 2.0 client_id of the tool (reject with404)aud, theazpclaim must be presentazpis present, it must match the toolsclient_idalgclaim should beRS256expmust be in the futureiatclaim valuenoncemust be the same as used in the authentication requestnoncemust not be received before (within a reasonable time window)