ILIAS  trunk Revision v11.0_alpha-3011-gc6b235a2e85
ltitoken.php
Go to the documentation of this file.
1<?php
2
19declare(strict_types=1);
20
22use ILIAS\Filesystem\Exception\IOException;
23use Firebase\JWT\JWT;
24use Firebase\JWT\JWK;
25
26require_once("../vendor/composer/vendor/autoload.php");
27
28ilContext::init(ilContext::CONTEXT_SCORM);
29ilInitialisation::initILIAS();
30
31global $DIC;
32
33ilObjLTIConsumer::getLogger()->debug("accesstoken request");
34
35$gradeService = new ilLTIConsumerGradeService();
36
37if (!empty(ilObjLTIConsumer::verifyPrivateKey())) {
38 serverError(ilObjLTIConsumer::verifyPrivateKey());
39}
40
41if (strtoupper($DIC->http()->request()->getMethod()) !== "POST") {
42 invalidRequest("wrong method " . $DIC->http()->request()->getMethod());
43}
44
45$params = $DIC->http()->wrapper()->query();
46$post = $DIC->http()->wrapper()->post();
47
48if (!$post->has('client_assertion') || !$post->has('client_assertion_type') || !$post->has('grant_type') || !$post->has('scope')) {
49 invalidRequest("bad request: " . var_export($params, true) . "\n" . var_export($post, true));
50}
51
52$clientAssertion = $post->retrieve('client_assertion', $DIC->refinery()->kindlyTo()->string());
53$clientAssertionType = $post->retrieve('client_assertion_type', $DIC->refinery()->kindlyTo()->string());
54$grantType = $post->retrieve('grant_type', $DIC->refinery()->kindlyTo()->string());
55$scope = $post->retrieve('scope', $DIC->refinery()->kindlyTo()->string());
56
57if ($clientAssertionType != 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' || $grantType != 'client_credentials') {
58 invalidRequest("bad request: unsupported grant_type: " . $grantType);
59}
60
61$parts = explode('.', $clientAssertion);
62
63if (count($parts) != 3) {
64 invalidRequest("bad request: " . var_export($parts, true));
65}
66
67$payload = JWT::urlsafeB64Decode($parts[1]);
68$claims = json_decode($payload, true);
69
70if ($claims == null) {
71 invalidRequest("bad request: no claims");
72}
73
74$clientId = $claims['sub'];
75if (empty($clientId)) {
76 invalidRequest("bad request: no claims");
77}
78
79$providerId = 0;
80$provider = null;
81
82try {
83 $providerId = ilLTIConsumeProvider::getProviderIdFromClientId($clientId);
84} catch (IOException $e) {
85 invalidRequest(var_export($e, true));
86}
87
88try {
89 $provider = new ilLTIConsumeProvider($providerId);
90} catch (IOException $e) {
91 serverError(var_export($e, true));
92}
93
94validateServiceToken($clientAssertion, $provider);
95
96$scopes = array();
97// ToDo: support for other services
98$gradeService = new ilLTIConsumerGradeService();
99$requestedscopes = explode(' ', $scope);
100$scopes = array_intersect($requestedscopes, $gradeService->getPermittedScopes());
101
102if (empty($scopes)) {
103 invalidRequest("empty scopes");
104}
105
106sendAccessToken(implode(" ", $scopes), $provider);
107
108function validateServiceToken(string $token, ilLTIConsumeProvider $provider): void
109{
110 try {
111 ilObjLTIConsumer::getLogger()->debug("validateServiceToken");
112 // ToDo: caching
113 $jwks = file_get_contents($provider->getPublicKeyset());
114 $keyset = json_decode($jwks, true);
115 $keys = JWK::parseKeySet($keyset);
116 $data = JWT::decode($token, $keys);
117 //ilObjLTIConsumer::getLogger()->debug(var_export($data, TRUE));
118 if ($provider->getClientId() != $data->iss || $provider->getClientId() != $data->sub) {
119 invalidRequest("invalid clientId");
120 }
121 } catch (Exception $e) {
122 serverError(var_export($e, true));
123 }
124}
125
126function sendAccessToken(string $scopes, ilLTIConsumeProvider $provider): void
127{
128 ilObjLTIConsumer::getLogger()->debug("sendAccesToken");
129 $now = time();
130 $token = [
131 "sub" => $provider->getClientId(),
132 "iat" => $now,
133 "exp" => $now + 3600,
134 "imsglobal.org.security.scope" => $scopes
135 ];
136 try {
137 $privateKey = ilObjLTIConsumer::getPrivateKey();
138 $accessToken = JWT::encode($token, $privateKey['key'], 'RS256', $privateKey['kid']);
139 $responseData = array(
140 'access_token' => $accessToken,
141 'token_type' => 'bearer',
142 'expires_in' => 3600,
143 'scope' => $scopes
144 );
145 ilObjLTIConsumer::sendResponseJson($responseData);
146 } catch (Exception $e) {
147 serverError(var_export($e, true));
148 }
149}
150
151function serverError(string $log = ""): void
152{
153 if (!empty($log)) {
154 ilObjLTIConsumer::getLogger()->error($log);
155 }
156 ilObjLTIConsumer::sendResponseError(500, json_encode(array('error' => "ERROR_OPEN_SSL_CONF")));
157}
158
159function invalidRequest(string $log = ""): void
160{
161 if (!empty($log)) {
162 ilObjLTIConsumer::getLogger()->error($log);
163 }
164 ilObjLTIConsumer::sendResponseError(400, json_encode(array('error' => 'invalid_request')));
165}
ILIAS\Filesystem\Exception\IOException
Indicates general problems with the input or output operations.
Definition: IOException.php:28
ilContext\CONTEXT_SCORM
const CONTEXT_SCORM
Definition: class.ilContext.php:42
ilContext\init
static init(string $a_type)
Init context by type.
Definition: class.ilContext.php:52
ilInitialisation\initILIAS
static initILIAS()
ilias initialisation
Definition: class.ilInitialisation.php:1144
ilLTIConsumeProvider\getProviderIdFromClientId
static getProviderIdFromClientId(string $clientId)
Definition: class.ilLTIConsumeProvider.php:929
ilObjLTIConsumer\sendResponseError
static sendResponseError(int $code, string $message, $log=true)
Definition: class.ilObjLTIConsumer.php:1358
ilObjLTIConsumer\sendResponseJson
static sendResponseJson(array $obj)
Definition: class.ilObjLTIConsumer.php:1377
$responseData
$responseData
Definition: ltiregistration.php:30
$privateKey
$privateKey
Definition: ltiregstart.php:66
$log
$log
Definition: ltiresult.php:34
sendAccessToken
sendAccessToken(string $scopes, ilLTIConsumeProvider $provider)
Definition: ltitoken.php:126
$clientAssertionType
$clientAssertionType
Definition: ltitoken.php:53
$claims
$claims
Definition: ltitoken.php:68
$scope
$scope
Definition: ltitoken.php:55
$params
if(!empty(ilObjLTIConsumer::verifyPrivateKey())) if(strtoupper($DIC->http() ->request() ->getMethod()) !=="POST") $params
Definition: ltitoken.php:45
$DIC
global $DIC
Definition: ltitoken.php:31
$post
$post
Definition: ltitoken.php:46
invalidRequest
invalidRequest(string $log="")
Definition: ltitoken.php:159
$grantType
$grantType
Definition: ltitoken.php:54
$clientAssertion
if(! $post->has('client_assertion')||! $post->has('client_assertion_type')||! $post->has('grant_type')||! $post->has('scope')) $clientAssertion
Definition: ltitoken.php:52
$parts
if($clientAssertionType !='urn:ietf:params:oauth:client-assertion-type:jwt-bearer'|| $grantType !='client_credentials') $parts
Definition: ltitoken.php:61
$requestedscopes
$requestedscopes
Definition: ltitoken.php:99
$scopes
$scopes
Definition: ltitoken.php:96
$provider
$provider
Definition: ltitoken.php:80
validateServiceToken
validateServiceToken(string $token, ilLTIConsumeProvider $provider)
Definition: ltitoken.php:108
$clientId
if($claims==null) $clientId
Definition: ltitoken.php:74
$gradeService
$gradeService
Definition: ltitoken.php:35
serverError
serverError(string $log="")
Definition: ltitoken.php:151
$payload
if(count($parts) !=3) $payload
Definition: ltitoken.php:67
$providerId
if(empty($clientId)) $providerId
Definition: ltitoken.php:79
$token
$token
Definition: xapitoken.php:70