LTI13Authenticator does not set required routes
martinclaus opened this issue · comments
Bug description
According to the response of hub/lti13/config
, there should be the following routes with handlers defined:
hub/oauth_login
:LTI13LoginHandler
hub/lti13/jkws
:LTI13JWKSHandler
and additionally, for the login flow to work, there needs to behub/oauth_callback
handled byLTI13CallbackHandler
.
All these endpoints currently return a404: Not found
and starting a userserver from an LMS via LTI 1.3 is not possible.
IMHO, the culprit is LTI13Authenticator.get_handlers
which overrides its superclass equivalent where /hub/oauth_login
and /hub/oauth_callback
are set.
I have patched the method to include the superclass logic and that fixed the issue. Note that I did not include the JWKS endpoint since it does not seem to be necessary.
I am happy to provide a pull request.
Expected behaviour
Userserver should start after successful authentication by LMS via LTI 1.3 login flow.
Actual behaviour
Since the required routes are not set, a 404
is returned from hub/oauth_login
Your personal set up
- Version(s):
- ltiauthenticator 1.3.0
- zero-to-jupyterhub 1.2.0 on on-premise Kubernetes cluster
- Jupyterhub:
jupyterhub/k8s-hub:1.2.0
but with ltiauthenticator 1.3.0
Full environment
# Jupyterhub environment
alembic==1.6.5
async-generator==1.10
attrs==21.2.0
bcrypt==3.2.0
cachetools==4.2.2
certifi==2021.5.30
certipy==0.1.3
cffi==1.14.5
chardet==4.0.0
cryptography==3.4.7
Deprecated==1.2.13
entrypoints==0.3
escapism==1.0.1
future==0.18.2
google-auth==1.31.0
greenlet==1.1.0
idna==2.10
ipython-genutils==0.2.0
Jinja2==3.0.1
josepy==1.13.0
jsonschema==3.2.0
jupyter-telemetry==0.1.0
jupyterhub==1.5.0
jupyterhub-firstuseauthenticator==1.0.0
jupyterhub-hmacauthenticator==1.0
jupyterhub-idle-culler==1.1
jupyterhub-kubespawner==1.1.0
jupyterhub-ldapauthenticator==1.3.2
jupyterhub-ltiauthenticator==1.3.0
jupyterhub-nativeauthenticator==0.0.7
jupyterhub-tmpauthenticator==0.6
jwcrypto==1.3.1
kubernetes==17.17.0
ldap3==2.9
Mako==1.1.4
MarkupSafe==2.0.1
mwoauth==0.3.7
nullauthenticator==1.0.0
oauthenticator==14.2.0
oauthlib==3.1.1
onetimepass==1.0.1
pamela==1.0.0
pem==21.2.0
prometheus-client==0.11.0
psycopg2-binary==2.9.1
py-spy==0.3.8
pyasn1==0.4.8
pyasn1-modules==0.2.8
pycparser==2.20
pycryptodome==3.14.1
pycryptodomex==3.14.1
pycurl==7.44.1
pyjwkest==1.4.2
PyJWT==1.7.1
PyMySQL==1.0.2
pyOpenSSL==20.0.1
pyrsistent==0.17.3
python-dateutil==2.8.1
python-editor==1.0.4
python-json-logger==2.0.1
python-slugify==5.0.2
PyYAML==5.4.1
requests==2.25.1
requests-oauthlib==1.3.0
rsa==4.7.2
ruamel.yaml==0.17.9
ruamel.yaml.clib==0.2.2
six==1.16.0
SQLAlchemy==1.4.18
sqlalchemy-cockroachdb==1.4.0
statsd==3.3.0
text-unidecode==1.3
tornado==6.1
traitlets==5.0.5
urllib3==1.26.5
websocket-client==1.1.0
wrapt==1.14.1
Configuration
hub:
config:
JupyterHub:
authenticator_class: ltiauthenticator.lti13.auth.LTI13Authenticator
LTI13Authenticator:
username_key: "lms_user_id"
authorize_url: "https://saltire.lti.app/platform/auth"
client_id: "saltire.lti.app"
endpoint: "https://<MY_HUB>/hub/lti13/jwks"
# The LTI 1.3 token url used to validate JWT signatures
token_url: "https://saltire.lti.app/platform/token/##########################"
extraEnv:
LTI13_PRIVATE_KEY: "FULL_PATH_TO_PRIVATE_KEY_PEM"
Logs
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋
Welcome to the Jupyter community! 🎉
@martinclaus thank you soo much for your work on this!!!
Is it correct that you understand the LTI13Authenticator to be broken in its released state, and that its likeley not configured to be used by active jupyterhub installations?
I'm asking as that helps estimate the consequences of a failure to validate passed JWT tokens as patched in 7b533f7 and published soon with associated GHSA/CVE. It has stressed me out quite a bit, so I'd be significantly relaxed knowing that this wasn't functionally used anyhow.
IMO, this renders the LTI13Authenticator
broken in v1.3.0
which is the first tag including LTI 1.3 authentication. The breaking change has been introduced in f9dbba0.
Closed by #124 right?