LTI provider : Allow jwks url instead of public key - refs BT#20450

plugin/lti_provider/LtiProviderPlugin.php

@@ -18,6 +18,7 @@ class LtiProviderPlugin extends Plugin
     public const LAUNCH_PATH = 'lti_provider/tool/start.php';
     public const LOGIN_PATH = 'lti_provider/tool/login.php';
     public const REDIRECT_PATH = 'lti_provider/tool/start.php';
+    public const JWKS_URL = 'lti_provider/tool/jwks.php';
 
     public $isAdminPlugin = true;
 
@@ -54,6 +55,11 @@ class LtiProviderPlugin extends Plugin
                 'redirect_url',
                 api_get_path(WEB_PLUGIN_PATH).self::REDIRECT_PATH
             );
+            $jwksUrlHtml = $this->getSettingHtmlReadOnly(
+                $this->get_lang('KeySetUrlJwks'),
+                'jwks_url',
+                api_get_path(WEB_PLUGIN_PATH).self::JWKS_URL
+            );
         } else {
             $pkHtml = $this->get_lang('GenerateKeyPairInfo');
         }
@@ -64,6 +70,7 @@ class LtiProviderPlugin extends Plugin
             $launchUrlHtml => 'html',
             $loginUrlHtml => 'html',
             $redirectUrlHtml => 'html',
+            $jwksUrlHtml => 'html',
             $pkHtml => 'html',
             'enabled' => 'boolean',
         ];

plugin/lti_provider/lang/english.php

@@ -31,3 +31,4 @@ $strings['PlatformConnectionAdded'] = 'A platform connection has been added.';
 $strings['ToolProvider'] = 'Provider tool';
 $strings['SelectOneActivity'] = 'Select one activity';
 $strings['Quizzes'] = 'Exercises';
+$strings['KeySetUrlJwks'] = 'Keyset url (jwks)';

plugin/lti_provider/lang/french.php

@@ -29,3 +29,4 @@ $strings['PlatformConnectionAdded'] = 'La nouvelle connexion inter-plateforme a
 $strings['ToolProvider'] = 'Outil fournisseur';
 $strings['SelectOneActivity'] = 'Sélectionnez une activité';
 $strings['Quizzes'] = 'Exercices';
+$strings['KeySetUrlJwks'] = 'Keyset url (jwks)';

plugin/lti_provider/lang/spanish.php

@@ -31,3 +31,4 @@ $strings['PlatformConnectionAdded'] = 'Se agrega una conexión de plataforma.';
 $strings['ToolProvider'] = 'Herramienta del proveedor';
 $strings['SelectOneActivity'] = 'Selecccione una actividad';
 $strings['Quizzes'] = 'Ejercicios';
+$strings['KeySetUrlJwks'] = 'Clave url (jwks)';

plugin/lti_provider/provider_settings.php

@@ -24,7 +24,10 @@ $name = api_get_plugin_setting('lti_provider', 'name');
 $launchUrl = api_get_plugin_setting('lti_provider', 'launch_url');
 $loginUrl = api_get_plugin_setting('lti_provider', 'login_url');
 $redirectUrl = api_get_plugin_setting('lti_provider', 'redirect_url');
-$publicKey = $plugin->getPublicKey();
+$jwksUrl = api_get_plugin_setting('lti_provider', 'jwks_url');
+if (empty($jwksUrl)) {
+    $jwksUrl = api_get_path(WEB_PLUGIN_PATH).LtiProviderPlugin::JWKS_URL;
+}
 
 try {
     if ($enabled !== 'true') {
@@ -44,8 +47,8 @@ try {
         .'<div class="col-xs-10">'.$redirectUrl.'</div>'
         .'</div>'
         .'<div class="row">'
-        .'<div class="col-xs-2 text-right"><strong>'.$plugin->get_lang('PublicKey').'</strong></div>'
-        .'<div class="col-xs-10"><pre>'.$publicKey.'</pre></div>'
+        .'<div class="col-xs-2 text-right"><strong>'.$plugin->get_lang('KeySetUrlJwks').'</strong></div>'
+        .'<div class="col-xs-10">'.$jwksUrl.'</div>'
         .'</div>';
 
     $response->setContent($html);

plugin/lti_provider/tool/jwks.php

@@ -0,0 +1,49 @@
+<?php
+/* For licensing terms, see /license.txt */
+
+use Chamilo\PluginBundle\Entity\LtiProvider\PlatformKey;
+use Firebase\JWT\JWT;
+use phpseclib\Crypt\RSA;
+
+$cidReset = true;
+
+require_once __DIR__.'/../../../main/inc/global.inc.php';
+
+$plugin = LtiProviderPlugin::create();
+
+if ('true' !== $plugin->get('enabled')) {
+    exit;
+}
+
+/** @var PlatformKey $platformKey */
+$platformKey = Database::getManager()
+    ->getRepository('ChamiloPluginBundle:LtiProvider\PlatformKey')
+    ->findOneBy([]);
+
+if (!$platformKey) {
+    exit;
+}
+
+$privateKey = $platformKey->getPrivateKey();
+
+$jwks = [];
+
+$key = new RSA();
+$key->setHash('sha256');
+$key->loadKey($platformKey->getPrivateKey());
+$key->setPublicKey(false, RSA::PUBLIC_FORMAT_PKCS8);
+
+if ($key->publicExponent) {
+    $jwks = [
+        'kty' => 'RSA',
+        'alg' => 'RS256',
+        'use' => 'sig',
+        'e' => JWT::urlsafeB64Encode($key->publicExponent->toBytes()),
+        'n' => JWT::urlsafeB64Encode($key->modulus->toBytes()),
+        'kid' => $platformKey->getKid(),
+    ];
+}
+
+header('Content-Type: application/json');
+
+echo json_encode(['keys' => [$jwks]]);