LTI13Authenticator does not set required routes

Question

LTI13Authenticator does not set required routes

martinclaus opened this issue a year ago · comments

Bug description

According to the response of hub/lti13/config, there should be the following routes with handlers defined:

hub/oauth_login: LTI13LoginHandler
hub/lti13/jkws: LTI13JWKSHandler
and additionally, for the login flow to work, there needs to be hub/oauth_callback handled by LTI13CallbackHandler.
All these endpoints currently return a 404: Not found and starting a userserver from an LMS via LTI 1.3 is not possible.

IMHO, the culprit is LTI13Authenticator.get_handlers which overrides its superclass equivalent where /hub/oauth_login and /hub/oauth_callback are set.

I have patched the method to include the superclass logic and that fixed the issue. Note that I did not include the JWKS endpoint since it does not seem to be necessary.

I am happy to provide a pull request.

Expected behaviour

Userserver should start after successful authentication by LMS via LTI 1.3 login flow.

Actual behaviour

Since the required routes are not set, a 404 is returned from hub/oauth_login

Your personal set up

Version(s):
- ltiauthenticator 1.3.0
- zero-to-jupyterhub 1.2.0 on on-premise Kubernetes cluster
- Jupyterhub: jupyterhub/k8s-hub:1.2.0 but with ltiauthenticator 1.3.0

Full environment

# Jupyterhub environment
alembic==1.6.5
async-generator==1.10
attrs==21.2.0
bcrypt==3.2.0
cachetools==4.2.2
certifi==2021.5.30
certipy==0.1.3
cffi==1.14.5
chardet==4.0.0
cryptography==3.4.7
Deprecated==1.2.13
entrypoints==0.3
escapism==1.0.1
future==0.18.2
google-auth==1.31.0
greenlet==1.1.0
idna==2.10
ipython-genutils==0.2.0
Jinja2==3.0.1
josepy==1.13.0
jsonschema==3.2.0
jupyter-telemetry==0.1.0
jupyterhub==1.5.0
jupyterhub-firstuseauthenticator==1.0.0
jupyterhub-hmacauthenticator==1.0
jupyterhub-idle-culler==1.1
jupyterhub-kubespawner==1.1.0
jupyterhub-ldapauthenticator==1.3.2
jupyterhub-ltiauthenticator==1.3.0
jupyterhub-nativeauthenticator==0.0.7
jupyterhub-tmpauthenticator==0.6
jwcrypto==1.3.1
kubernetes==17.17.0
ldap3==2.9
Mako==1.1.4
MarkupSafe==2.0.1
mwoauth==0.3.7
nullauthenticator==1.0.0
oauthenticator==14.2.0
oauthlib==3.1.1
onetimepass==1.0.1
pamela==1.0.0
pem==21.2.0
prometheus-client==0.11.0
psycopg2-binary==2.9.1
py-spy==0.3.8
pyasn1==0.4.8
pyasn1-modules==0.2.8
pycparser==2.20
pycryptodome==3.14.1
pycryptodomex==3.14.1
pycurl==7.44.1
pyjwkest==1.4.2
PyJWT==1.7.1
PyMySQL==1.0.2
pyOpenSSL==20.0.1
pyrsistent==0.17.3
python-dateutil==2.8.1
python-editor==1.0.4
python-json-logger==2.0.1
python-slugify==5.0.2
PyYAML==5.4.1
requests==2.25.1
requests-oauthlib==1.3.0
rsa==4.7.2
ruamel.yaml==0.17.9
ruamel.yaml.clib==0.2.2
six==1.16.0
SQLAlchemy==1.4.18
sqlalchemy-cockroachdb==1.4.0
statsd==3.3.0
text-unidecode==1.3
tornado==6.1
traitlets==5.0.5
urllib3==1.26.5
websocket-client==1.1.0
wrapt==1.14.1

Configuration

hub:
  config:
    JupyterHub:
      authenticator_class: ltiauthenticator.lti13.auth.LTI13Authenticator
    LTI13Authenticator:
      username_key:  "lms_user_id"
      authorize_url: "https://saltire.lti.app/platform/auth"
      client_id: "saltire.lti.app"
      endpoint: "https://<MY_HUB>/hub/lti13/jwks"
      # The LTI 1.3 token url used to validate JWT signatures
      token_url: "https://saltire.lti.app/platform/token/##########################"
  extraEnv:
    LTI13_PRIVATE_KEY: "FULL_PATH_TO_PRIVATE_KEY_PEM"

Logs

welcome · Answer 1 · Tue Feb 07 2023 21:25:57 GMT+0800 (China Standard Time)

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

Erik Sundell · Answer 2 · Mon Feb 20 2023 18:40:32 GMT+0800 (China Standard Time)

@martinclaus thank you soo much for your work on this!!!

Is it correct that you understand the LTI13Authenticator to be broken in its released state, and that its likeley not configured to be used by active jupyterhub installations?

I'm asking as that helps estimate the consequences of a failure to validate passed JWT tokens as patched in 7b533f7 and published soon with associated GHSA/CVE. It has stressed me out quite a bit, so I'd be significantly relaxed knowing that this wasn't functionally used anyhow.

Martin Claus · Answer 3 · Mon Feb 20 2023 19:03:39 GMT+0800 (China Standard Time)

IMO, this renders the LTI13Authenticator broken in v1.3.0 which is the first tag including LTI 1.3 authentication. The breaking change has been introduced in f9dbba0.

Erik Sundell · Answer 4 · Mon Feb 20 2023 19:09:39 GMT+0800 (China Standard Time)

Closed by #124 right?