ILIAS  trunk Revision v11.0_alpha-1843-g9e1fad99175
All Data Structures Namespaces Files Functions Variables Enumerations Enumerator Modules Pages
ltitoken.php
Go to the documentation of this file.
1 <?php
2 
19 declare(strict_types=1);
20 
22 use ILIAS\Filesystem\Exception\IOException;
23 use Firebase\JWT\JWT;
24 use Firebase\JWT\JWK;
25 
26 chdir("../../../");
27 
28 ilContext::init(ilContext::CONTEXT_SCORM);
29 ilInitialisation::initILIAS();
30 
31 global $DIC;
32 
33 ilObjLTIConsumer::getLogger()->debug("accesstoken request");
34 
35 $gradeService = new ilLTIConsumerGradeService();
36 
37 if (!empty(ilObjLTIConsumer::verifyPrivateKey())) {
38  serverError(ilObjLTIConsumer::verifyPrivateKey());
39 }
40 
41 if (strtoupper($DIC->http()->request()->getMethod()) !== "POST") {
42  invalidRequest("wrong method " . $DIC->http()->request()->getMethod());
43 }
44 
45 $params = $DIC->http()->wrapper()->query();
46 $post = $DIC->http()->wrapper()->post();
47 
48 if (!$post->has('client_assertion') || !$post->has('client_assertion_type') || !$post->has('grant_type') || !$post->has('scope')) {
49  invalidRequest("bad request: " . var_export($params, true) . "\n" . var_export($post, true));
50 }
51 
52 $clientAssertion = $post->retrieve('client_assertion', $DIC->refinery()->kindlyTo()->string());
53 $clientAssertionType = $post->retrieve('client_assertion_type', $DIC->refinery()->kindlyTo()->string());
54 $grantType = $post->retrieve('grant_type', $DIC->refinery()->kindlyTo()->string());
55 $scope = $post->retrieve('scope', $DIC->refinery()->kindlyTo()->string());
56 
57 if ($clientAssertionType != 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' || $grantType != 'client_credentials') {
58  invalidRequest("bad request: unsupported grant_type: " . $grantType);
59 }
60 
61 $parts = explode('.', $clientAssertion);
62 
63 if (count($parts) != 3) {
64  invalidRequest("bad request: " . var_export($parts, true));
65 }
66 
67 $payload = JWT::urlsafeB64Decode($parts[1]);
68 $claims = json_decode($payload, true);
69 
70 if ($claims == null) {
71  invalidRequest("bad request: no claims");
72 }
73 
74 $clientId = $claims['sub'];
75 if (empty($clientId)) {
76  invalidRequest("bad request: no claims");
77 }
78 
79 $providerId = 0;
80 $provider = null;
81 
82 try {
83  $providerId = ilLTIConsumeProvider::getProviderIdFromClientId($clientId);
84 } catch (IOException $e) {
85  invalidRequest(var_export($e, true));
86 }
87 
88 try {
89  $provider = new ilLTIConsumeProvider($providerId);
90 } catch (IOException $e) {
91  serverError(var_export($e, true));
92 }
93 
94 validateServiceToken($clientAssertion, $provider);
95 
96 $scopes = array();
97 // ToDo: support for other services
98 $gradeService = new ilLTIConsumerGradeService();
99 $requestedscopes = explode(' ', $scope);
100 $scopes = array_intersect($requestedscopes, $gradeService->getPermittedScopes());
101 
102 if (empty($scopes)) {
103  invalidRequest("empty scopes");
104 }
105 
106 sendAccessToken(implode(" ", $scopes), $provider);
107 
108 function validateServiceToken(string $token, ilLTIConsumeProvider $provider): void
109 {
110  try {
111  ilObjLTIConsumer::getLogger()->debug("validateServiceToken");
112  // ToDo: caching
113  $jwks = file_get_contents($provider->getPublicKeyset());
114  $keyset = json_decode($jwks, true);
115  $keys = JWK::parseKeySet($keyset);
116  $data = JWT::decode($token, $keys);
117  //ilObjLTIConsumer::getLogger()->debug(var_export($data, TRUE));
118  if ($provider->getClientId() != $data->iss || $provider->getClientId() != $data->sub) {
119  invalidRequest("invalid clientId");
120  }
121  } catch (Exception $e) {
122  serverError(var_export($e, true));
123  }
124 }
125 
126 function sendAccessToken(string $scopes, ilLTIConsumeProvider $provider): void
127 {
128  ilObjLTIConsumer::getLogger()->debug("sendAccesToken");
129  $now = time();
130  $token = [
131  "sub" => $provider->getClientId(),
132  "iat" => $now,
133  "exp" => $now + 3600,
134  "imsglobal.org.security.scope" => $scopes
135  ];
136  try {
137  $privateKey = ilObjLTIConsumer::getPrivateKey();
138  $accessToken = JWT::encode($token, $privateKey['key'], 'RS256', $privateKey['kid']);
139  $responseData = array(
140  'access_token' => $accessToken,
141  'token_type' => 'baerer',
142  'expires_in' => 3600,
143  'scope' => $scopes
144  );
145  ilObjLTIConsumer::sendResponseJson($responseData);
146  } catch (Exception $e) {
147  serverError(var_export($e, true));
148  }
149 }
150 
151 function serverError(string $log = ""): void
152 {
153  if (!empty($log)) {
154  ilObjLTIConsumer::getLogger()->error($log);
155  }
156  ilObjLTIConsumer::sendResponseError(500, json_encode(array('error' => "ERROR_OPEN_SSL_CONF")));
157 }
158 
159 function invalidRequest(string $log = ""): void
160 {
161  if (!empty($log)) {
162  ilObjLTIConsumer::getLogger()->error($log);
163  }
164  ilObjLTIConsumer::sendResponseError(400, json_encode(array('error' => 'invalid_request')));
165 }
$gradeService
$gradeService
Definition: ltitoken.php:35
$params
if(!empty(ilObjLTIConsumer::verifyPrivateKey())) if(strtoupper($DIC->http() ->request() ->getMethod()) !=="POST") $params
Definition: ltitoken.php:45
Sabre::DAV\Exception\IOException
Indicates general problems with the input or output operations.
Definition: IOException.php:27
$parts
if($clientAssertionType !='urn:ietf:params:oauth:client-assertion-type:jwt-bearer'|| $grantType !='client_credentials') $parts
Definition: ltitoken.php:61
ilObjLTIConsumer\sendResponseError
static sendResponseError(int $code, string $message, $log=true)
Definition: class.ilObjLTIConsumer.php:1350
$payload
if(count($parts) !=3) $payload
Definition: ltitoken.php:67
$scopes
$scopes
Definition: ltitoken.php:96
ilContext\CONTEXT_SCORM
const CONTEXT_SCORM
Definition: class.ilContext.php:42
$DIC
global $DIC
Definition: ltitoken.php:31
$providerId
if(empty($clientId)) $providerId
Definition: ltitoken.php:79
$responseData
$responseData
Definition: ltiregistration.php:30
$requestedscopes
$requestedscopes
Definition: ltitoken.php:99
validateServiceToken
validateServiceToken(string $token, ilLTIConsumeProvider $provider)
Definition: ltitoken.php:108
$claims
$claims
Definition: ltitoken.php:68
ilLTIConsumeProvider\getProviderIdFromClientId
static getProviderIdFromClientId(string $clientId)
Definition: class.ilLTIConsumeProvider.php:929
null
while($session_entry=$r->fetchRow(ilDBConstants::FETCHMODE_ASSOC)) return null
Definition: shib_logout.php:142
$clientAssertionType
$clientAssertionType
Definition: ltitoken.php:53
$provider
$provider
Definition: ltitoken.php:80
serverError
serverError(string $log="")
Definition: ltitoken.php:151
$clientId
if($claims==null) $clientId
Definition: ltitoken.php:74
ilInitialisation\initILIAS
static initILIAS()
ilias initialisation
Definition: class.ilInitialisation.php:1145
$log
$log
Definition: result.php:32
$token
$token
Definition: xapitoken.php:70
$clientAssertion
if(! $post->has('client_assertion')||! $post->has('client_assertion_type')||! $post->has('grant_type')||! $post->has('scope')) $clientAssertion
Definition: ltitoken.php:52
$scope
$scope
Definition: ltitoken.php:55
invalidRequest
invalidRequest(string $log="")
Definition: ltitoken.php:159
$privateKey
$privateKey
Definition: ltiregstart.php:62
ilContext\init
static init(string $a_type)
Init context by type.
Definition: class.ilContext.php:52
$grantType
$grantType
Definition: ltitoken.php:54
$post
$post
Definition: ltitoken.php:46
ilObjLTIConsumer\sendResponseJson
static sendResponseJson(array $obj)
Definition: class.ilObjLTIConsumer.php:1369
sendAccessToken
sendAccessToken(string $scopes, ilLTIConsumeProvider $provider)
Definition: ltitoken.php:126