112 lines
5.3 KiB
PHP
112 lines
5.3 KiB
PHP
<?php
|
|
// This file is part of Moodle - http://moodle.org/
|
|
//
|
|
// Moodle is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// Moodle is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU General Public License
|
|
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
/**
|
|
* LTI 1.3 login endpoint.
|
|
*
|
|
* See: http://www.imsglobal.org/spec/security/v1p0/#step-1-third-party-initiated-login
|
|
*
|
|
* This must support both POST and GET methods, as per the spec.
|
|
*
|
|
* @package enrol_lti
|
|
* @copyright 2021 Jake Dallimore <jrhdallimore@gmail.com
|
|
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
|
|
*/
|
|
|
|
use auth_lti\local\ltiadvantage\utility\cookie_helper;
|
|
use enrol_lti\local\ltiadvantage\lib\lti_cookie;
|
|
use enrol_lti\local\ltiadvantage\lib\issuer_database;
|
|
use enrol_lti\local\ltiadvantage\lib\launch_cache_session;
|
|
use enrol_lti\local\ltiadvantage\repository\application_registration_repository;
|
|
use enrol_lti\local\ltiadvantage\repository\deployment_repository;
|
|
use Packback\Lti1p3\LtiOidcLogin;
|
|
|
|
require_once(__DIR__."/../../config.php");
|
|
|
|
// Required fields for OIDC 3rd party initiated login.
|
|
// See http://www.imsglobal.org/spec/security/v1p0/#step-1-third-party-initiated-login.
|
|
// Validate these here, despite further validation in the LTI 1.3 library.
|
|
$iss = required_param('iss', PARAM_URL); // Issuer URI of the calling platform.
|
|
$loginhint = required_param('login_hint', PARAM_RAW); // Platform ID for the person to login.
|
|
$targetlinkuri = required_param('target_link_uri', PARAM_URL); // The took launch URL.
|
|
|
|
// Optional lti_message_hint. See https://www.imsglobal.org/spec/lti/v1p3#additional-login-parameters-0.
|
|
// If found, this must be returned unmodified to the platform.
|
|
$ltimessagehint = optional_param('lti_message_hint', null, PARAM_RAW);
|
|
|
|
// The target_link_uri param should contain the endpoint that will be executed at the end of the OIDC login process.
|
|
// In Moodle, this will either be:
|
|
// - enrol/lti/launch.php endpoint (for regular resource link launches) or
|
|
// - enrol/lti/launch_deeplink.php endpoint (for deep linking launches)
|
|
// Thus, the target_link_uri signifies intent to perform a certain launch type. It can be used to generate the
|
|
// redirect_uri param for the auth request but must first be verified, as it is unsigned data at this stage.
|
|
// See here: https://www.imsglobal.org/spec/lti/v1p3/impl#verify-the-target_link_uri.
|
|
//
|
|
// Also note that final redirection to the resource (after the login process is complete) should rely on the
|
|
// https://purl.imsglobal.org/spec/lti/claim/target_link_uri claim instead of the target_link_uri value provided here.
|
|
// See here: http://www.imsglobal.org/spec/lti/v1p3/#target-link-uri.
|
|
$validuris = [
|
|
(new moodle_url('/enrol/lti/launch.php'))->out(false), // Resource link launches.
|
|
(new moodle_url('/enrol/lti/launch_deeplink.php'))->out(false) // Deep linking launches.
|
|
];
|
|
|
|
// This code verifies the target_link_uri. Only two values are permitted (see endpoints listed above).
|
|
if (!in_array($targetlinkuri, $validuris)) {
|
|
$msg = 'The target_link_uri param must match one of the redirect URIs set during tool registration.';
|
|
throw new coding_exception($msg);
|
|
}
|
|
|
|
// Because client_id is optional, this endpoint receives a param 'id', a unique id generated when creating the registration.
|
|
// A registration can thus be located by either the tuple {iss, client_id} (if client_id is provided), or by the tuple {iss, id},
|
|
// (if client_id is not provided). See https://www.imsglobal.org/spec/lti/v1p3/#client_id-login-parameter.
|
|
global $_REQUEST;
|
|
if (empty($_REQUEST['client_id']) && !empty($_REQUEST['id'])) {
|
|
$_REQUEST['client_id'] = $_REQUEST['id'];
|
|
}
|
|
|
|
// Before beginning the OIDC authentication, ensure the MoodleSession cookie can be used. Browser-specific steps may need to be
|
|
// taken to set cookies in 3rd party contexts. Skip the check if the user is already auth'd. This means that either cookies aren't
|
|
// an issue in the current browser/launch context.
|
|
if (!isloggedin()) {
|
|
cookie_helper::do_cookie_check(new moodle_url('/enrol/lti/login.php', [
|
|
'iss' => $iss,
|
|
'login_hint' => $loginhint,
|
|
'target_link_uri' => $targetlinkuri,
|
|
'lti_message_hint' => $ltimessagehint,
|
|
'client_id' => $_REQUEST['client_id'],
|
|
]));
|
|
if (!cookie_helper::cookies_supported()) {
|
|
global $OUTPUT, $PAGE;
|
|
$PAGE->set_context(context_system::instance());
|
|
$PAGE->set_url(new moodle_url('/enrol/lti/login.php'));
|
|
$PAGE->set_pagelayout('popup');
|
|
echo $OUTPUT->header();
|
|
$renderer = $PAGE->get_renderer('enrol_lti');
|
|
echo $renderer->render_cookies_required_notice();
|
|
echo $OUTPUT->footer();
|
|
die();
|
|
}
|
|
}
|
|
|
|
// Now, do the OIDC login.
|
|
$redirecturl = LtiOidcLogin::new(
|
|
new issuer_database(new application_registration_repository(), new deployment_repository()),
|
|
new launch_cache_session(),
|
|
new lti_cookie()
|
|
)->getRedirectUrl($targetlinkuri, $_REQUEST);
|
|
|
|
redirect($redirecturl);
|