Unnecessary client_id in the jkws url

Created on 19 April 2024, 8 months ago

Problem/Motivation

At this moment, a new registration needs to select one key and then a link to the jwks is generated that includes the client_id as query string parameter in the URL.

This implies that to send the information to the LMS about the configuration of the Drupal tool, we need to know the client_id, and we can't know the client_id until they create a tool deployment on their side and to do that they need the jwks url.

A second issue is that the client_id is not unique, so you could have two registrations with the same client_id. That would generate an issue when getting the key.

Steps to reproduce

Just look at the URL for the jwks endpoint that is generated.

Proposed resolution

The usual practice to deal with the jwks endpoint is the same url for every client_id. If we want to have a different key per client_id we will need to publish all the public keys on that url and use the KID to find the right one. Although this is not needed at all. If that is done, a unique KID must be generated, surely including not only the client_id, but the issuer and the deployment_id. Or it could be just one key for all the LTI registrations (as most of the tools do) and avoid this problem completely making it not dependant on the registration.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

2.0

Component

Code

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024