Merge pull request #2787 from drgrice1/lti-1.3-debug-hotfix

Alex-Jordan · web-flow · commit 3f8d5a6fb5d7 · 2025-08-20T23:16:33.000-07:00
Add an LTI 1.3 debug log in the case that the JWT fails to decode on a launch request. (hotfix version)
diff --git a/conf/authen_LTI_1_3.conf.dist b/conf/authen_LTI_1_3.conf.dist
@@ -116,6 +116,19 @@ $LTI{v1p3}{AuthReqURL}      = '';
 # don't pile up in the database.
 $LTI{v1p3}{StateKeyLifetime} = 60;    # in seconds
 
+# When a LTI 1.3 launch request occurs the JWT in the request is decoded and the exp and iat in
+# the token are validated.  The expectation is that the iat and exp values are before (less
+# than) the current time on the webwork2 server plus the JWTLeeway, and if they are greater than
+# the current time plus the JWTLeeway then the JWT fails to validate.  So the JWTLeeway is the
+# maximum allowed time in seconds that the exp and iat values in the token are allowed to be
+# after the current time.  If the JWTs in these launch requests are failing to validate, then
+# increase this value to allow for a larger difference between the exp and iat values in the JWT
+# and the current time. This is usually caused by the clock on the LMS server being ahead of the
+# clock on the webwork2 server.  Generally, a small leeway may be needed, but if the clock on
+# the LMS server is too far ahead of the clock on the webwork2 server, then steps should be
+# taken to synchronize the clocks.
+$LTI{v1p3}{JWTLeeway} = 0;    # in seconds
+
 ################################################################################################
 # LTI 1.3 LMS Roles Mapped to WeBWorK Roles
 ################################################################################################
diff --git a/lib/WeBWorK/ContentGenerator/LTIAdvantage.pm b/lib/WeBWorK/ContentGenerator/LTIAdvantage.pm
@@ -161,6 +161,8 @@ sub launch ($c) {
 					$c->stash->{lti_jwt_claims}{'https://purl.imsglobal.org/spec/lti/claim/context'}{id}
 				]
 			];
+		} elsif ($c->stash->{LTIAuthenError}) {
+			debug($c->stash->{LTIAuthenError});
 		}
 		return $c->render(
 			'ContentGenerator/LTI/content_item_selection_error',
@@ -365,6 +367,7 @@ sub extract_jwt_claims ($c) {
 		verify_aud => $ce->{LTI}{v1p3}{ClientID},
 		verify_iat => 1,
 		verify_exp => 1,
+		leeway     => $ce->{LTI}{v1p3}{JWTLeeway} // 0,
 		# This just checks that this claim is present.
 		verify_sub => sub ($value) { return $value =~ /\S/ }
 	);
