Oauth2.0 client_credentials grant_type is added as a means
to support LTI Advantage services. Will accept only the
client_assertion_type of jwt-bearer and returns a JWS as
the access token. LTI services using the jws will be able to
authenticate, but other api endpoints will fail when using
this jwt.
closes PLAT-3659
Test Plan:
- Create an oauth 2.0 request using a jwt signed by a
developer key
- Request should be validated and returns a jwt with
the correct scopes
Change-Id: I786b71e39f8d3c2c9c71aa3eff4ea490f6d56285
Reviewed-on: https://gerrit.instructure.com/161245
Tested-by: Jenkins
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Marc Alan Phillips <mphillips@instructure.com>
Closes PLAT-3633, PLAT-3634
Test Plan:
- Do an LTI 1.3 launch in Canvas and verify the id token is
signed with the current canvas secret key.
- Verify the following claims are included and correct:
* exp
* iat
* iss
* nonce
* sub
Change-Id: I57699ac42bbe98a9fa03f82f3f9b9a16c6923011
Reviewed-on: https://gerrit.instructure.com/159855
Tested-by: Jenkins
Reviewed-by: Marc Alan Phillips <mphillips@instructure.com>
QA-Review: Marc Alan Phillips <mphillips@instructure.com>
Product-Review: Marc Alan Phillips <mphillips@instructure.com>
Good thing we haven't rotated any keys.
Fixes PLAT-1237
Test Plan:
- Create an access token
- Rotate encryption_key by editing security.yml, and moving
encryption_key to previous_encrytion_keys, and create a new
encryption_keys
- Make sure your access token is still valid
Change-Id: I485830dcb39f845bf78c2cc83a01c0e0f2b866e8
Reviewed-on: https://gerrit.instructure.com/63045
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Brad Horrocks <bhorrocks@instructure.com>
Attempt to fix our sis batch tempfile usage, which wasn't compatible
with the travis environment.
Found more SAML specs to mark as pending when SAML isn't enabled.
Use webmock instead of our own home-grown solution, since Travis
enforces webmock.
Select only the users we're interested in sorting, to remove dependency
on empty db.
refs CNVS-10467
Change-Id: Icf9b093c6cc4a6b7b19da9dd2abab9f39457f817
Reviewed-on: https://gerrit.instructure.com/28949
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
Product-Review: Brian Palmer <brianp@instructure.com>
QA-Review: Brian Palmer <brianp@instructure.com>
Marc Phillips