mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-22 17:02:03 +02:00
Code Issues Projects Releases Wiki Activity

MDL-83423 mod_lti: fix JWK decoding when multiple keys missing alg

Browse Source 
Related to MDL-77077, but was a case missed there. Now, any unusable
keys (i.e. can't be used during the JWT decode), are dropped from the
keyset if they don't have the 'alg' prop, preventing a 'missing alg'
exception during keyset parsing. Since these cannot be used during
decode, these aren't needed anyway.
This commit is contained in:
Jake Dallimore 2024-10-10 12:24:17 +08:00
parent b48e64e2a1
commit 62a0b21d27
No known key found for this signature in database
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
mod/lti/locallib.php
View File

@ -1323,7 +1323,6 @@ function lti_verify_with_keyset($jwtparam, $keyseturl, $clientid) {
throw new moodle_exception('errornocachedkeysetfound', 'mod_lti');
}
$keysetarr = json_decode($keyset, true);
// JWK::parseKeySet uses RS256 algorithm by default.
$keys = JWK::parseKeySet($keysetarr);
$jwt = JWT::decode($jwtparam, $keys);
} catch (Exception $e) {
@ -1332,7 +1331,10 @@ function lti_verify_with_keyset($jwtparam, $keyseturl, $clientid) {
$keysetarr = json_decode($keyset, true);
// Fix for firebase/php-jwt's dependency on the optional 'alg' property in the JWK.
// The fix_jwks_alg() call only fixes a single, matched key and will leave others present (which may be missing alg too),
// Remaining keys missing alg are excluded since they cannot be used for decoding anyway (no match to JWT kid).
$keysetarr = jwks_helper::fix_jwks_alg($keysetarr, $jwtparam);
$keysetarr['keys'] = array_filter($keysetarr['keys'], fn($key) => isset($key['alg']));
// JWK::parseKeySet uses RS256 algorithm by default.
$keys = JWK::parseKeySet($keysetarr);