Create endpoint for public LTI JWKs (#2235)

* Filters out duplicate user * show warning message * try to test on nightly * fix error creation * remove auth requirement from tool_keys * update endpoints for jwks * Revert "Filters out duplicate user" This reverts commit 234f8e3. * Revert "show warning message" This reverts commit 2fb8c46. * fix skip_before_action --------- Co-authored-by: coder6583 <[email protected]>
autolab · Oct 8, 2024 · 9324880 · 9324880
1 parent 42b4a75
commit 9324880
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/app/controllers/lti_launch_controller.rb b/app/controllers/lti_launch_controller.rb
@@ -4,7 +4,7 @@ class LtiLaunchController < ApplicationController
   skip_before_action :authorize_user_for_course
   skip_before_action :update_persistent_announcements
   skip_before_action :authenticate_for_action
-
+  skip_before_action :authenticate_user!, only: [:launch, :oidc_login, :jwks]
   # have to do because we are making a POST request from Canvas
   skip_before_action :verify_authenticity_token
 
@@ -236,6 +236,31 @@ def launch
     )
   end
 
+  # public endpoint to return our public JWKs for LTI authentication
+  def jwks
+    unless File.size?("#{Rails.configuration.config_location}/lti_tool_jwk.json")
+      raise LtiError, "No JWK found on Autolab"
+    end
+
+    jwk_json = File.read("#{Rails.configuration.config_location}/lti_tool_jwk.json")
+    begin
+      jwk_hash = JSON.parse(jwk_json)
+    rescue JSON::ParserError => e
+      Rails.logger.error("Error Parsing JWK JSON: #{e}")
+      raise LtiError, "Error parsing Autolab JWK file"
+    end
+
+    # import could fail b/c we only support one key, not multiple
+    begin
+      tool_JWK_keypair = JWT::JWK.import(jwk_hash)
+    rescue StandardError => e
+      Rails.logger.error("Error importing private JWK: #{e}")
+      raise LtiError, "Error parsing Autolab JWK file as keypair"
+    end
+
+    render json: JWT::JWK::Set.new(tool_JWK_keypair).export
+  end
+
   # LTI launch entrypoint to initiate open id connect login
   # build our authentication response and redirect back to
   # platform

diff --git a/config/routes.rb b/config/routes.rb
@@ -6,6 +6,7 @@
     get 'lti_launch/oidc_login', to: "lti_launch#oidc_login"
     post 'lti_launch/launch', to: "lti_launch#launch"
     get 'lti_launch/launch', to: "lti_launch#launch"
+    get 'lti_launch/jwks', to: "lti_launch#jwks"
     post 'lti_nrps/sync_roster', to: "lti_nrps#sync_roster"
   get 'lti_config/index', to: "lti_config#index"
   post 'github_config/update_config', to: "github_config#update_config"