ILIAS  release_8 Revision v8.23
ltitoken.php
Go to the documentation of this file.
1 <?php
2 
3 declare(strict_types=1);
4 
23 use ILIAS\Filesystem\Exception\IOException;
24 use Firebase\JWT\JWT;
25 use Firebase\JWT\JWK;
26 
27 chdir("../../");
28 
29 require_once("Services/Init/classes/class.ilInitialisation.php");
30 
31 ilContext::init(ilContext::CONTEXT_SCORM);
32 ilInitialisation::initILIAS();
33 
34 global $DIC;
35 
36 ilObjLTIConsumer::getLogger()->debug("accesstoken request");
37 
38 $gradeService = new ilLTIConsumerGradeService();
39 
40 if (!empty(ilObjLTIConsumer::verifyPrivateKey())) {
41  serverError(ilObjLTIConsumer::verifyPrivateKey());
42 }
43 
44 if (strtoupper($DIC->http()->request()->getMethod()) !== "POST") {
45  invalidRequest("wrong method " . $DIC->http()->request()->getMethod());
46 }
47 
48 $params = $DIC->http()->wrapper()->query();
49 $post = $DIC->http()->wrapper()->post();
50 
51 if (!$post->has('client_assertion') || !$post->has('client_assertion_type') || !$post->has('grant_type') || !$post->has('scope')) {
52  invalidRequest("bad request: " . var_export($params, true) . "\n" . var_export($post, true));
53 }
54 
55 $clientAssertion = $post->retrieve('client_assertion', $DIC->refinery()->kindlyTo()->string());
56 $clientAssertionType = $post->retrieve('client_assertion_type', $DIC->refinery()->kindlyTo()->string());
57 $grantType = $post->retrieve('grant_type', $DIC->refinery()->kindlyTo()->string());
58 $scope = $post->retrieve('scope', $DIC->refinery()->kindlyTo()->string());
59 
60 if ($clientAssertionType != 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' || $grantType != 'client_credentials') {
61  invalidRequest("bad request: unsupported grant_type: " . $grantType);
62 }
63 
64 $parts = explode('.', $clientAssertion);
65 
66 if (count($parts) != 3) {
67  invalidRequest("bad request: " . var_export($parts, true));
68 }
69 
70 $payload = JWT::urlsafeB64Decode($parts[1]);
71 $claims = json_decode($payload, true);
72 
73 if ($claims == null) {
74  invalidRequest("bad request: no claims");
75 }
76 
77 $clientId = $claims['sub'];
78 if (empty($clientId)) {
79  invalidRequest("bad request: no claims");
80 }
81 
82 $providerId = 0;
83 $provider = null;
84 
85 try {
86  $providerId = ilLTIConsumeProvider::getProviderIdFromClientId($clientId);
87 } catch (IOException $e) {
88  invalidRequest(var_export($e, true));
89 }
90 
91 try {
92  $provider = new ilLTIConsumeProvider($providerId);
93 } catch (IOException $e) {
94  serverError(var_export($e, true));
95 }
96 
97 validateServiceToken($clientAssertion, $provider);
98 
99 $scopes = array();
100 // ToDo: support for other services
101 $gradeService = new ilLTIConsumerGradeService();
102 $requestedscopes = explode(' ', $scope);
103 $scopes = array_intersect($requestedscopes, $gradeService->getPermittedScopes());
104 
105 if (empty($scopes)) {
106  invalidRequest("empty scopes");
107 }
108 
109 sendAccessToken(implode(" ", $scopes), $provider);
110 
111 function validateServiceToken(string $token, ilLTIConsumeProvider $provider): void
112 {
113  try {
114  ilObjLTIConsumer::getLogger()->debug("validateServiceToken");
115  // ToDo: caching
116  $jwks = file_get_contents($provider->getPublicKeyset());
117  $keyset = json_decode($jwks, true);
118  $keys = JWK::parseKeySet($keyset);
119  $data = JWT::decode($token, $keys);
120  //ilObjLTIConsumer::getLogger()->debug(var_export($data, TRUE));
121  if ($provider->getClientId() != $data->iss || $provider->getClientId() != $data->sub) {
122  invalidRequest("invalid clientId");
123  }
124  } catch (Exception $e) {
125  serverError(var_export($e, true));
126  }
127 }
128 
129 function sendAccessToken(string $scopes, ilLTIConsumeProvider $provider): void
130 {
131  ilObjLTIConsumer::getLogger()->debug("sendAccesToken");
132  $now = time();
133  $token = [
134  "sub" => $provider->getClientId(),
135  "iat" => $now,
136  "exp" => $now + 3600,
137  "imsglobal.org.security.scope" => $scopes
138  ];
139  try {
140  $privateKey = ilObjLTIConsumer::getPrivateKey();
141  $accessToken = JWT::encode($token, $privateKey['key'], 'RS256', $privateKey['kid']);
142  $responseData = array(
143  'access_token' => $accessToken,
144  'token_type' => 'baerer',
145  'expires_in' => 3600,
146  'scope' => $scopes
147  );
148  ilObjLTIConsumer::sendResponseJson($responseData);
149  } catch (Exception $e) {
150  serverError(var_export($e, true));
151  }
152 }
153 
154 function serverError(string $log = ""): void
155 {
156  if (!empty($log)) {
157  ilObjLTIConsumer::getLogger()->error($log);
158  }
159  ilObjLTIConsumer::sendResponseError(500, json_encode(array('error' => "ERROR_OPEN_SSL_CONF")));
160 }
161 
162 function invalidRequest(string $log = ""): void
163 {
164  if (!empty($log)) {
165  ilObjLTIConsumer::getLogger()->error($log);
166  }
167  ilObjLTIConsumer::sendResponseError(400, json_encode(array('error' => 'invalid_request')));
168 }
$gradeService
$gradeService
Definition: ltitoken.php:38
$params
if(!empty(ilObjLTIConsumer::verifyPrivateKey())) if(strtoupper($DIC->http() ->request() ->getMethod()) !=="POST") $params
Definition: ltitoken.php:48
$parts
if($clientAssertionType !='urn:ietf:params:oauth:client-assertion-type:jwt-bearer'|| $grantType !='client_credentials') $parts
Definition: ltitoken.php:64
ilObjLTIConsumer\sendResponseError
static sendResponseError(int $code, string $message, $log=true)
Definition: class.ilObjLTIConsumer.php:1309
$payload
if(count($parts) !=3) $payload
Definition: ltitoken.php:70
$scopes
$scopes
Definition: ltitoken.php:99
ilContext\CONTEXT_SCORM
const CONTEXT_SCORM
Definition: class.ilContext.php:42
$DIC
global $DIC
Definition: ltitoken.php:34
$providerId
if(empty($clientId)) $providerId
Definition: ltitoken.php:82
$responseData
$responseData
Definition: ltiregistration.php:32
$requestedscopes
$requestedscopes
Definition: ltitoken.php:102
validateServiceToken
validateServiceToken(string $token, ilLTIConsumeProvider $provider)
Definition: ltitoken.php:111
$claims
$claims
Definition: ltitoken.php:71
ilLTIConsumeProvider\getProviderIdFromClientId
static getProviderIdFromClientId(string $clientId)
Definition: class.ilLTIConsumeProvider.php:929
$clientAssertionType
$clientAssertionType
Definition: ltitoken.php:56
$provider
$provider
Definition: ltitoken.php:83
serverError
serverError(string $log="")
Definition: ltitoken.php:154
$clientId
if($claims==null) $clientId
Definition: ltitoken.php:77
ilInitialisation\initILIAS
static initILIAS()
ilias initialisation
Definition: class.ilInitialisation.php:1225
$keys
$keys
Definition: metadata.php:204
$log
$log
Definition: result.php:33
$token
$token
Definition: xapitoken.php:70
$clientAssertion
if(! $post->has('client_assertion')||! $post->has('client_assertion_type')||! $post->has('grant_type')||! $post->has('scope')) $clientAssertion
Definition: ltitoken.php:55
$scope
$scope
Definition: ltitoken.php:58
invalidRequest
invalidRequest(string $log="")
Definition: ltitoken.php:162
$privateKey
$privateKey
Definition: ltiregstart.php:68
ilContext\init
static init(string $a_type)
Init context by type.
Definition: class.ilContext.php:52
$grantType
$grantType
Definition: ltitoken.php:57
$post
$post
Definition: ltitoken.php:49
ilObjLTIConsumer\sendResponseJson
static sendResponseJson(array $obj)
Definition: class.ilObjLTIConsumer.php:1328
sendAccessToken
sendAccessToken(string $scopes, ilLTIConsumeProvider $provider)
Definition: ltitoken.php:129