d1/db7/ltitoken_8php_source.html

<?php


declare(strict_types=1);


use ILIAS\Filesystem\Exception\IOException;

use Firebase\JWT\JWT;

use Firebase\JWT\JWK;


chdir("../../");


require_once("Services/Init/classes/class.ilInitialisation.php");


ilContext::init(ilContext::CONTEXT_SCORM);

ilInitialisation::initILIAS();


global $DIC;


ilObjLTIConsumer::getLogger()->debug("accesstoken request");


$gradeService = new ilLTIConsumerGradeService();


if (!empty(ilObjLTIConsumer::verifyPrivateKey())) {

    serverError(ilObjLTIConsumer::verifyPrivateKey());

}


if (strtoupper($DIC->http()->request()->getMethod()) !== "POST") {

    invalidRequest("wrong method " . $DIC->http()->request()->getMethod());

}


$params = $DIC->http()->wrapper()->query();

$post = $DIC->http()->wrapper()->post();


if (!$post->has('client_assertion') || !$post->has('client_assertion_type') || !$post->has('grant_type') || !$post->has('scope')) {

    invalidRequest("bad request: " . var_export($params, true) . "\n" . var_export($post, true));

}


$clientAssertion = $post->retrieve('client_assertion', $DIC->refinery()->kindlyTo()->string());

$clientAssertionType = $post->retrieve('client_assertion_type', $DIC->refinery()->kindlyTo()->string());

$grantType = $post->retrieve('grant_type', $DIC->refinery()->kindlyTo()->string());

$scope = $post->retrieve('scope', $DIC->refinery()->kindlyTo()->string());


if ($clientAssertionType != 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' || $grantType != 'client_credentials') {

    invalidRequest("bad request: unsupported grant_type: " . $grantType);

}


$parts = explode('.', $clientAssertion);


if (count($parts) != 3) {

    invalidRequest("bad request: " . var_export($parts, true));

}


$payload = JWT::urlsafeB64Decode($parts[1]);

$claims = json_decode($payload, true);


if ($claims == null) {

    invalidRequest("bad request: no claims");

}


$clientId = $claims['sub'];

if (empty($clientId)) {

    invalidRequest("bad request: no claims");

}


$providerId = 0;

$provider = null;


try {

    $providerId = ilLTIConsumeProvider::getProviderIdFromClientId($clientId);

} catch (IOException $e) {

    invalidRequest(var_export($e, true));

}


try {

    $provider = new ilLTIConsumeProvider($providerId);

} catch (IOException $e) {

    serverError(var_export($e, true));

}


validateServiceToken($clientAssertion, $provider);


$scopes = array();

// ToDo: support for other services

$gradeService = new ilLTIConsumerGradeService();

$requestedscopes = explode(' ', $scope);

$scopes = array_intersect($requestedscopes, $gradeService->getPermittedScopes());


if (empty($scopes)) {

    invalidRequest("empty scopes");

}


sendAccessToken(implode(" ", $scopes), $provider);


function validateServiceToken(string $token, ilLTIConsumeProvider $provider): void

{

    try {

        ilObjLTIConsumer::getLogger()->debug("validateServiceToken");

        // ToDo: caching

        $jwks = file_get_contents($provider->getPublicKeyset());

        $keyset = json_decode($jwks, true);

        $keys = JWK::parseKeySet($keyset);

        $data = JWT::decode($token, $keys);

        //ilObjLTIConsumer::getLogger()->debug(var_export($data, TRUE));

        if ($provider->getClientId() != $data->iss || $provider->getClientId() != $data->sub) {

            invalidRequest("invalid clientId");

        }

    } catch (Exception $e) {

        serverError(var_export($e, true));

    }

}


function sendAccessToken(string $scopes, ilLTIConsumeProvider $provider): void

{

    ilObjLTIConsumer::getLogger()->debug("sendAccesToken");

    $now = time();

    $token = [

        "sub" => $provider->getClientId(),

        "iat" => $now,

        "exp" => $now + 3600,

        "imsglobal.org.security.scope" => $scopes

    ];

    try {

        $privateKey = ilObjLTIConsumer::getPrivateKey();

        $accessToken = JWT::encode($token, $privateKey['key'], 'RS256', $privateKey['kid']);

        $responseData = array(

            'access_token' => $accessToken,

            'token_type' => 'baerer',

            'expires_in' => 3600,

            'scope' => $scopes

        );

        ilObjLTIConsumer::sendResponseJson($responseData);

    } catch (Exception $e) {

        serverError(var_export($e, true));

    }

}


function serverError(string $log = ""): void

{

    if (!empty($log)) {

        ilObjLTIConsumer::getLogger()->error($log);

    }

    ilObjLTIConsumer::sendResponseError(500, json_encode(array('error' => "ERROR_OPEN_SSL_CONF")));

}


function invalidRequest(string $log = ""): void

{

    if (!empty($log)) {

        ilObjLTIConsumer::getLogger()->error($log);

    }

    ilObjLTIConsumer::sendResponseError(400, json_encode(array('error' => 'invalid_request')));

}

Firebase\JWT\JWK
Definition: JWK.php:22

Firebase\JWT\JWT
Definition: JWT.php:29

ILIAS\Filesystem\Exception\IOException
Class IOException.
Definition: IOException.php:28

ilContext\CONTEXT_SCORM
const CONTEXT_SCORM
Definition: class.ilContext.php:42

ilContext\init
static init(string $a_type)
Init context by type.
Definition: class.ilContext.php:52

ilInitialisation\initILIAS
static initILIAS()
ilias initialisation
Definition: class.ilInitialisation.php:1225

ilLTIConsumeProvider
Definition: class.ilLTIConsumeProvider.php:32

ilLTIConsumeProvider\getProviderIdFromClientId
static getProviderIdFromClientId(string $clientId)
Definition: class.ilLTIConsumeProvider.php:929

ilLTIConsumerGradeService
Definition: class.ilLTIConsumerGradeService.php:31

ilObjLTIConsumer\getPrivateKey
static getPrivateKey()
Definition: class.ilObjLTIConsumer.php:1087

ilObjLTIConsumer\sendResponseError
static sendResponseError(int $code, string $message, $log=true)
Definition: class.ilObjLTIConsumer.php:1309

ilObjLTIConsumer\getLogger
static getLogger()
Definition: class.ilObjLTIConsumer.php:1386

ilObjLTIConsumer\verifyPrivateKey
static verifyPrivateKey()
Definition: class.ilObjLTIConsumer.php:1102

ilObjLTIConsumer\sendResponseJson
static sendResponseJson(array $obj)
Definition: class.ilObjLTIConsumer.php:1328

$data
$data
Definition: ltiregistration.php:31

$responseData
$responseData
Definition: ltiregistration.php:32

$privateKey
$privateKey
Definition: ltiregstart.php:68

sendAccessToken
sendAccessToken(string $scopes, ilLTIConsumeProvider $provider)
Definition: ltitoken.php:129

$clientAssertionType
$clientAssertionType
Definition: ltitoken.php:56

$claims
$claims
Definition: ltitoken.php:71

$scope
$scope
Definition: ltitoken.php:58

$params
if(!empty(ilObjLTIConsumer::verifyPrivateKey())) if(strtoupper($DIC->http() ->request() ->getMethod()) !=="POST") $params
Definition: ltitoken.php:48

$DIC
global $DIC
Definition: ltitoken.php:34

$post
$post
Definition: ltitoken.php:49

invalidRequest
invalidRequest(string $log="")
Definition: ltitoken.php:162

$grantType
$grantType
Definition: ltitoken.php:57

$clientAssertion
if(! $post->has('client_assertion')||! $post->has('client_assertion_type')||! $post->has('grant_type')||! $post->has('scope')) $clientAssertion
Definition: ltitoken.php:55

$parts
if($clientAssertionType !='urn:ietf:params:oauth:client-assertion-type:jwt-bearer'|| $grantType !='client_credentials') $parts
Definition: ltitoken.php:64

$requestedscopes
$requestedscopes
Definition: ltitoken.php:102

$scopes
$scopes
Definition: ltitoken.php:99

$provider
$provider
Definition: ltitoken.php:83

validateServiceToken
validateServiceToken(string $token, ilLTIConsumeProvider $provider)
Definition: ltitoken.php:111

$clientId
if($claims==null) $clientId
Definition: ltitoken.php:77

$gradeService
$gradeService
Definition: ltitoken.php:38

serverError
serverError(string $log="")
Definition: ltitoken.php:154

$payload
if(count($parts) !=3) $payload
Definition: ltitoken.php:70

$providerId
if(empty($clientId)) $providerId
Definition: ltitoken.php:82

$keys
$keys
Definition: metadata.php:204

Vendor\Package\$e
$e
Definition: example_cleaned.php:49

$log
$log
Definition: result.php:33

$token
$token
Definition: xapitoken.php:70