Create endpoint for public LTI JWKs

[20wildmanj]

Description

Create a way for other LTI providers to discover LTI's public JWKs so that they don't need to be manually uploaded to the tool provider, which simplifies setup and makes switching out the JWT convenient.

documentation to be updated after we update the canvas flow / other LTI changes.

Motivation and Context

Part of upgrades to support better LTI integration with Canvas. This should also make setting up Autolab on Canvas easier.

There is now a public endpoint /lti_launch/jwks to support querying Autolab for its public JWKs.

How Has This Been Tested?

This testing was done on Nightly since it seems that the LTI testing tool really doesn't like http requests for making a request to get the public JWK.

Use the following platform: https://lti-ri.imsglobal.org/platforms/5276

Verify that platform has correct JWK url:

Use the following configuration:

Upload whatever JWK keypair you want on nightly. Then go to the following link:
https://nightly.autolabproject.com/lti_launch/jwks

See that you see the public JWK (not the private one):

Also see that you can be logged out and still view the JWK (as it should be public-facing)

Then try synchronizing the course roster here (for now the LTI link is here): https://nightly.autolabproject.com/courses/hackingsession-david/users

See that link succeeds

Types of changes

• New feature (non-breaking change which adds functionality)

Checklist:

• I have run rubocop and erblint for style check. If you haven't, run overcommit --install && overcommit --sign to use pre-commit hook for linting
• My change requires a change to the documentation, which is located at Autolab Docs

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request introduces changes to the LtiLaunchController and the routing configuration for the Rails application. A new method jwks is added to the controller, which allows retrieval of public JSON Web Keys (JWKs) without user authentication for specific actions. Additionally, a new route is defined to handle GET requests for the jwks action, enabling access to this functionality through the /lti_launch/jwks endpoint.

Changes

File	Change Summary
app/controllers/lti_launch_controller.rb	Added skip_before_action for launch, oidc_login, and jwks actions; introduced jwks method for JWK retrieval.
config/routes.rb	Added route get 'lti_launch/jwks', to: "lti_launch#jwks" to handle requests to the new endpoint.

Possibly related PRs

• Update LTI documentation to correct URLs for redirect #2184: The changes in this PR involve updating URLs related to LTI integration, which may be relevant to the new jwks endpoint added in the main PR, as both are part of the LTI authentication flow.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

config/routes.rb (1)

Line range hint 1-214: Consider namespacing LTI routes in the future.

While the current implementation is correct and consistent, as you continue to expand LTI functionality, it might be beneficial to consider grouping all LTI-related routes under a namespace in the future. This could improve organization and maintainability as the number of LTI routes grows. For example:

namespace :lti do
  get 'launch/jwks', to: "launch#jwks"
  post 'launch/oidc_login', to: "launch#oidc_login"
  get 'launch/oidc_login', to: "launch#oidc_login"
  post 'launch/launch', to: "launch#launch"
  get 'launch/launch', to: "launch#launch"
  post 'nrps/sync_roster', to: "nrps#sync_roster"
end

This is not a critical change for the current PR but could be considered for future refactoring.

app/controllers/lti_launch_controller.rb (1)

239-262: LGTM with suggestions for improvement.

The jwks method successfully implements the core functionality of returning public JWKs for LTI authentication. It includes proper error handling and logging, which is commendable.

Consider the following improvements:

1. Replace File.size? with File.exist? for checking file existence:

-unless File.size?("#{Rails.configuration.config_location}/lti_tool_jwk.json")
+unless File.exist?("#{Rails.configuration.config_location}/lti_tool_jwk.json")

2. Implement caching to improve performance for frequent requests:

def jwks
  Rails.cache.fetch("lti_jwks", expires_in: 1.hour) do
    # Existing implementation here
  end
end

3. Consider moving the file path to a constant or configuration variable for easier maintenance:

LTI_TOOL_JWK_PATH = "#{Rails.configuration.config_location}/lti_tool_jwk.json"

These changes will enhance the method's performance and maintainability.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between be48fe4 and b6450cf.

📒 Files selected for processing (2)

• app/controllers/lti_launch_controller.rb (2 hunks)
• config/routes.rb (1 hunks)

🔇 Additional comments (4)

config/routes.rb (2)

9-9: LGTM: New route for LTI JWKs endpoint added correctly.

The new route get 'lti_launch/jwks', to: "lti_launch#jwks" is well-placed and correctly implemented. It aligns perfectly with the PR objective of creating an endpoint for public LTI JWKs. The route follows RESTful conventions, maintains consistency with existing LTI routes, and adheres to Rails naming conventions.

---

Line range hint 1-214: New route integrates well with existing structure.

The addition of the new route for LTI JWKs is well-integrated into the existing routing structure. It maintains consistency with other LTI-related routes and doesn't disrupt the overall organization of the routes file. This minimal impact approach is commendable as it reduces the risk of unintended side effects on other parts of the application.

app/controllers/lti_launch_controller.rb (2)

Line range hint 1-362: Overall, the changes successfully implement the PR objectives.

The modifications to the LtiLaunchController effectively introduce the new public endpoint for JWKs and adjust the authentication flow as required. The implementation includes proper error handling and logging, which is crucial for maintainability and debugging.

A few minor suggestions have been made to improve performance and adhere to Ruby best practices. Once these are addressed, the code will be in excellent shape.

Don't forget to update the documentation as mentioned in the PR description, particularly regarding the changes to the Canvas flow and other LTI-related modifications.

---

7-7: LGTM, but consider security implications.

The addition of skip_before_action :authenticate_user! for the launch, oidc_login, and jwks actions aligns with the PR objectives. It allows external LTI providers to access the public JWKs without authentication.

However, to ensure security, please verify that these actions don't expose any sensitive information or operations. Consider implementing rate limiting or other security measures to prevent potential abuse of these endpoints.

✅ Verification successful

Security implications verified

The launch, oidc_login, and jwks actions handle errors appropriately without exposing sensitive information. The use of generic LtiError messages ensures that internal details remain concealed.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any sensitive information or operations in the specified actions

# Test: Search for potential sensitive operations in the launch, oidc_login, and jwks methods
rg --type ruby -A 10 -B 10 'def (launch|oidc_login|jwks)' app/controllers/lti_launch_controller.rb

Length of output: 2781

[coder6583]

LGTM!