WIP: работа с токеном в рамках LTI 1.3

2025-12-14 19:42:46 +03:00 · 2025-12-14 19:42:46 +03:00 · 0fc9a1f266
parent 6ef83e9511
commit 0fc9a1f266
5 changed files with 161 additions and 6 deletions
--- a/src/main/java/ru/oa2/lti/ApplicationService.java
+++ b/src/main/java/ru/oa2/lti/ApplicationService.java
@ -7,8 +7,10 @@ import ru.oa2.lti.repository.LMSContentRepository;
 import ru.oa2.lti.repository.entities.LMSContent;
 import ru.oa2.lti.repository.entities.Task;
 import ru.oa2.lti.service.jwt.JwtService;
 import ru.oa2.lti.service.jwt.Payload;
 import java.util.Collection;
 import java.util.UUID;
@Service
@Transactional
@ -23,10 +25,13 @@ public class ApplicationService {
        this.lmsContentRepository = lmsContentRepository;
    }
-    public String getTask(LtiLogin ltiLogin) {
+    public Payload getPayload(LtiLogin ltiLogin) {
-        var payload = jwtService.getPayload(ltiLogin.getLoginHint());
+        return jwtService.getPayload(ltiLogin.getLoginHint());
    }
-        var content = lmsContentRepository.getLMSContentByContentId(payload.getContextId());
+    public String getTask(UUID contextId) {
        var content = lmsContentRepository.getLMSContentByContentId(contextId);
        if(content.isPresent()) {
            LMSContent lmsContent = content.get();
--- a/src/main/java/ru/oa2/lti/controller/LoginController.java
+++ b/src/main/java/ru/oa2/lti/controller/LoginController.java
@ -1,5 +1,8 @@
 package ru.oa2.lti.controller;
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpSession;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
@ -7,6 +10,7 @@ import org.springframework.web.bind.annotation.*;
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 import ru.oa2.lti.ApplicationService;
 import ru.oa2.lti.model.LtiLogin;
 import ru.oa2.lti.service.jwt.TokenService;
@Slf4j
@Controller
@ -14,9 +18,12 @@ import ru.oa2.lti.model.LtiLogin;
 public class LoginController {
    private final ApplicationService service;
    private final TokenService tokenService;
-    public LoginController(ApplicationService applicationService) {
+    public LoginController(ApplicationService applicationService,
                           TokenService tokenService) {
        this.service = applicationService;
        this.tokenService = tokenService;
    }
    @PostMapping("/login")
@ -26,7 +33,9 @@ public class LoginController {
                        @RequestParam("lti_deployment_id") String ltiDeploymentId,
                        @RequestParam("lti_message_hint") String ltiMessageHint,
                        @RequestParam("target_link_uri") String targetLinkUri,
-                        RedirectAttributes redirectAttributes) {
+                        HttpServletRequest request,
                        RedirectAttributes redirectAttributes,
                        ServletResponse servletResponse) {
        var ltiLogin = LtiLogin.builder()
                .clientId(clientId)
@ -39,8 +48,20 @@ public class LoginController {
       log.info("BODY: {}", ltiLogin);
-       var data = service.getTask(ltiLogin);
+       var payload = service.getPayload(ltiLogin);
       var accessToken = tokenService.exchangeForAccessToken(ltiLogin.getClientId(), "http://openolat.local/lti/token");
        // 4. Сохранить access token в сессии
        HttpSession session = request.getSession();
        session.setAttribute("lti_access_token", accessToken);
        session.setAttribute("lti_context_id", payload.getContextId());
        session.setAttribute("lti_user_id", ltiLogin.getClientId());
       var data = service.getTask(payload.getContextId());
       redirectAttributes.addFlashAttribute("description", data);
       //TODO заполнять из data
       redirectAttributes.addFlashAttribute("codeTitle", "Dockerfile:");
       redirectAttributes.addFlashAttribute("inputCode", "FROM maven:3.9.9-eclipse-temurin-21-jammy AS build\n" +
               "\n" +
--- a/src/main/java/ru/oa2/lti/service/jwt/JwtAssertionGenerator.java
+++ b/src/main/java/ru/oa2/lti/service/jwt/JwtAssertionGenerator.java
@ -0,0 +1,61 @@
 package ru.oa2.lti.service.jwt;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.crypto.RSASSASigner;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 import ru.oa2.lti.utils.Keys;
 import java.security.KeyFactory;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Base64;
 import java.util.Date;
 import java.util.UUID;
 public class JwtAssertionGenerator {
    private static RSAPrivateKey loadPrivateKey() throws Exception {
        String bodyKeyPEM = Keys.readFile("/home/toxa/study/siil/code/lti-provider/keys/private.pem");
        String privateKeyPEM = bodyKeyPEM
                .replace("-----BEGIN PRIVATE KEY-----", "")
                .replace("-----END PRIVATE KEY-----", "")
                .replaceAll("\\s", "");
        byte[] decoded = Base64.getDecoder().decode(privateKeyPEM);
        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
        KeyFactory kf = KeyFactory.getInstance("RSA");
        return (RSAPrivateKey) kf.generatePrivate(spec);
    }
    public static String generateClientAssertion(
            String clientId,
            String tokenEndpoint,
            String keyId) throws Exception {
        RSAPrivateKey privateKey = loadPrivateKey();
        // Заголовок
        JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256)
                .keyID(keyId)
                .build();
        // Полезная нагрузка
        JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
                .issuer(clientId)
                .subject(clientId)
                .audience(tokenEndpoint)
                .jwtID(UUID.randomUUID().toString()) // уникален на каждый запрос!
                .issueTime(new Date())
                .expirationTime(new Date(System.currentTimeMillis() + 300_000)) // +5 минут
                .build();
        SignedJWT signedJWT = new SignedJWT(header, claimsSet);
        signedJWT.sign(new RSASSASigner(privateKey));
        return signedJWT.serialize();
    }
 }
--- a/src/main/java/ru/oa2/lti/service/jwt/TokenService.java
+++ b/src/main/java/ru/oa2/lti/service/jwt/TokenService.java
@ -0,0 +1,56 @@
 package ru.oa2.lti.service.jwt;
 import org.springframework.http.*;
 import org.springframework.stereotype.Service;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.client.RestTemplate;
 import java.util.Map;
@Service
 public class TokenService {
    private final RestTemplate restTemplate = new RestTemplate();
    // Вызывается после LTI-запуска
    public String exchangeForAccessToken(
            String clientId,
            String tokenEndpoint) {
        try {
            // Генерируем client_assertion
            String clientAssertion = JwtAssertionGenerator.generateClientAssertion(
                    clientId,
                    tokenEndpoint,
                    "my-key-id-1"  // должен совпадать с тем, что в JWKS
            );
            // Формируем тело запроса
            MultiValueMap<String, String> body = new LinkedMultiValueMap<>();
            body.add("grant_type", "client_credentials");
            body.add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
            body.add("client_assertion", clientAssertion);
            body.add("scope", "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem https://purl.imsglobal.org/spec/lti-ags/scope/result");
            // Заголовки
            HttpHeaders headers = new HttpHeaders();
            headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
            HttpEntity<MultiValueMap<String, String>> request = new HttpEntity<>(body, headers);
            // Отправляем запрос к OpenOLAT
            ResponseEntity<Map> response = restTemplate.postForEntity(tokenEndpoint, request, Map.class);
            if (response.getStatusCode() == HttpStatus.OK) {
                Map<String, Object> responseBody = response.getBody();
                return (String) responseBody.get("access_token");
            } else {
                throw new RuntimeException("Ошибка получения токена: " + response.getStatusCode());
            }
        } catch (Exception e) {
            throw new RuntimeException("Не удалось получить access token", e);
        }
    }
 }
--- a/src/main/java/ru/oa2/lti/utils/Keys.java
+++ b/src/main/java/ru/oa2/lti/utils/Keys.java
@ -0,0 +1,12 @@
 package ru.oa2.lti.utils;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 public class Keys {
    public static String readFile(String filename) throws IOException {
        return Files.readString(Paths.get(filename));
    }
 }