search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
on-demand release 3.8dev+
[moodle.git] / mod / lti / token.php
blob3d90ca8a385e9b8295ba3a6f4ddd83da63e62673
1 <?php
2 // This file is part of Moodle - http://moodle.org/
3 //
4 // Moodle is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // Moodle is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License
15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
16
17 /**
18 * This file contains a service for issuing access tokens
19 *
20 * @package mod_lti
21 * @copyright 1999 onwards Martin Dougiamas {@link http://moodle.com}
22 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
23 */
24
25 define('NO_DEBUG_DISPLAY', true);
26 define('NO_MOODLE_COOKIES', true);
27
28 use Firebase\JWT\JWT as JWT;
29
30 require_once(__DIR__ . '/../../config.php');
31 require_once($CFG->dirroot . '/mod/lti/locallib.php');
32
33
34 $response = new \mod_lti\local\ltiservice\response();
35
36 $contenttype = isset($_SERVER['CONTENT_TYPE']) ? explode(';', $_SERVER['CONTENT_TYPE'], 2)[0] : '';
37
38 $ok = ($_SERVER['REQUEST_METHOD'] === 'POST') && ($contenttype === 'application/x-www-form-urlencoded');
39 $error = 'invalid_request';
40
41 $clientassertion = optional_param('client_assertion', '', PARAM_TEXT);
42 $clientassertiontype = optional_param('client_assertion_type', '', PARAM_TEXT);
43 $granttype = optional_param('grant_type', '', PARAM_TEXT);
44 $scope = optional_param('scope', '', PARAM_TEXT);
45
46 if ($ok) {
47 $ok = !empty($clientassertion) && !empty($clientassertiontype) &&
48 !empty($granttype) && !empty($scope);
49 }
50
51 if ($ok) {
52 $ok = ($clientassertiontype === 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer') &&
53 ($granttype === 'client_credentials');
54 $error = 'unsupported_grant_type';
55 }
56
57 if ($ok) {
58 $parts = explode('.', $clientassertion);
59 $ok = (count($parts) === 3);
60 if ($ok) {
61 $payload = JWT::urlsafeB64Decode($parts[1]);
62 $claims = json_decode($payload, true);
63 $ok = !is_null($claims) && !empty($claims['sub']);
64 }
65 $error = 'invalid_request';
66 }
67
68 if ($ok) {
69 $error = 'invalid_client';
70 $tool = $DB->get_record('lti_types', array('clientid' => $claims['sub']));
71 if ($tool) {
72 $typeconfig = lti_get_type_config($tool->id);
73 if (!empty($typeconfig['publickey'])) {
74 try {
75 $jwt = JWT::decode($clientassertion, $typeconfig['publickey'], array('RS256'));
76 $ok = true;
77 } catch (Exception $e) {
78 $ok = false;
79 }
80 }
81 } else {
82 $ok = false;
83 }
84 }
85
86 if ($ok) {
87 $scopes = array();
88 $requestedscopes = explode(' ', $scope);
89 $permittedscopes = lti_get_permitted_service_scopes($tool, $typeconfig);
90 $scopes = array_intersect($requestedscopes, $permittedscopes);
91 $ok = !empty($scopes);
92 $error = 'invalid_scope';
93 }
94
95 if ($ok) {
96 $token = lti_new_access_token($tool->id, $scopes);
97 $expiry = LTI_ACCESS_TOKEN_LIFE;
98 $permittedscopes = implode(' ', $scopes);
99 $body = <<< EOD
100 {
101 "access_token" : "{$token->token}",
102 "token_type" : "Bearer",
103 "expires_in" : {$expiry},
104 "scope" : "{$permittedscopes}"
105 }
106 EOD;
107 } else {
108 $response->set_code(400);
109 $body = <<< EOD
110 {
111 "error" : "{$error}"
112 }
113 EOD;
114 }
115
116 $response->set_body($body);
117
118 $response->send();
Read-only mirror of the Moodle CVS