Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 4.2.x will end 22 April 2024 (12 months).
  • Bug fixes for security issues in 4.2.x will end 7 October 2024 (18 months).
  • PHP version: minimum PHP 8.0.0 Note: minimum PHP version has increased since Moodle 4.1. PHP 8.1.x is supported too.
   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * LTI 1.3 login endpoint.
  19   *
  20   * See: http://www.imsglobal.org/spec/security/v1p0/#step-1-third-party-initiated-login
  21   *
  22   * This must support both POST and GET methods, as per the spec.
  23   *
  24   * @package    enrol_lti
  25   * @copyright  2021 Jake Dallimore <jrhdallimore@gmail.com
  26   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  27   */
  28  
  29  use enrol_lti\local\ltiadvantage\lib\issuer_database;
  30  use enrol_lti\local\ltiadvantage\lib\launch_cache_session;
  31  use enrol_lti\local\ltiadvantage\repository\application_registration_repository;
  32  use enrol_lti\local\ltiadvantage\repository\deployment_repository;
  33  use Packback\Lti1p3\ImsStorage\ImsCookie;
  34  use Packback\Lti1p3\LtiOidcLogin;
  35  
  36  require_once(__DIR__."/../../config.php");
  37  
  38  // Required fields for OIDC 3rd party initiated login.
  39  // See http://www.imsglobal.org/spec/security/v1p0/#step-1-third-party-initiated-login.
  40  // Validate these here, despite further validation in the LTI 1.3 library.
  41  $iss = required_param('iss', PARAM_URL); // Issuer URI of the calling platform.
  42  $loginhint = required_param('login_hint', PARAM_INT); // Platform ID for the person to login.
  43  $targetlinkuri = required_param('target_link_uri', PARAM_URL); // The took launch URL.
  44  
  45  // Optional lti_message_hint. See https://www.imsglobal.org/spec/lti/v1p3#additional-login-parameters-0.
  46  // If found, this must be returned unmodified to the platform.
  47  $ltimessagehint = optional_param('lti_message_hint', null, PARAM_RAW);
  48  
  49  // The target_link_uri param should contain the endpoint that will be executed at the end of the OIDC login process.
  50  // In Moodle, this will either be:
  51  // - enrol/lti/launch.php endpoint (for regular resource link launches) or
  52  // - enrol/lti/launch_deeplink.php endpoint (for deep linking launches)
  53  // Thus, the target_link_uri signifies intent to perform a certain launch type. It can be used to generate the
  54  // redirect_uri param for the auth request but must first be verified, as it is unsigned data at this stage.
  55  // See here: https://www.imsglobal.org/spec/lti/v1p3/impl#verify-the-target_link_uri.
  56  //
  57  // Also note that final redirection to the resource (after the login process is complete) should rely on the
  58  // https://purl.imsglobal.org/spec/lti/claim/target_link_uri claim instead of the target_link_uri value provided here.
  59  // See here: http://www.imsglobal.org/spec/lti/v1p3/#target-link-uri.
  60  $validuris = [
  61      (new moodle_url('/enrol/lti/launch.php'))->out(false), // Resource link launches.
  62      (new moodle_url('/enrol/lti/launch_deeplink.php'))->out(false) // Deep linking launches.
  63  ];
  64  
  65  // This code verifies the target_link_uri. Only two values are permitted (see endpoints listed above).
  66  if (!in_array($targetlinkuri, $validuris)) {
  67      $msg = 'The target_link_uri param must match one of the redirect URIs set during tool registration.';
  68      throw new coding_exception($msg);
  69  }
  70  
  71  // Because client_id is optional, this endpoint receives a param 'id', a unique id generated when creating the registration.
  72  // A registration can thus be located by either the tuple {iss, client_id} (if client_id is provided), or by the tuple {iss, id},
  73  // (if client_id is not provided). See https://www.imsglobal.org/spec/lti/v1p3/#client_id-login-parameter.
  74  global $_REQUEST;
  75  if (empty($_REQUEST['client_id']) && !empty($_REQUEST['id'])) {
  76      $_REQUEST['client_id'] = $_REQUEST['id'];
  77  }
  78  
  79  // Now, do the OIDC login.
  80  LtiOidcLogin::new(
  81      new issuer_database(new application_registration_repository(), new deployment_repository()),
  82      new launch_cache_session(),
  83      new ImsCookie()
  84  )
  85      ->doOidcLoginRedirect($targetlinkuri)
  86      ->doRedirect();