Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change how the OIDC Login URL is used, mark the Redirect for deprecation #116

Merged
merged 7 commits into from
Dec 15, 2023
Merged

Change how the OIDC Login URL is used, mark the Redirect for deprecation #116

merged 7 commits into from
Dec 15, 2023

Conversation

dbhynds
Copy link
Member

@dbhynds dbhynds commented Dec 13, 2023
edited
Loading

Summary of Changes

Changes how the OIDC Login URL is retrieved, and prep the Redirect for deprecation. Now that we're not building HTML, the Redirect object doesn't really serve a purpose except to return the URL. We might as well just have the LtiOidLogin do that.

In the next version of the library:

// instead of doing this:
$redirect = $oidLogin->doOidcLoginRedirect($launchUrl, $request);
return redirect($redirect->getRedirectUrl());

// you should do this instead:
return redirect($oidLogin->getRedirectUrl($launchUrl, $request));

Testing

I tested this out on the platform and tests passed: https://gitlab.com/packback/questions/-/pipelines/1105960419

  • I have added automated tests for my changes
  • I ran composer test before opening this PR
  • I ran composer lint-fix before opening this PR

@dbhynds dbhynds marked this pull request as ready for review December 13, 2023 19:50
@dbhynds
Copy link
Member Author

dbhynds commented Dec 14, 2023

The OIDC redirect is used by our application to authenticate with the LMS during an LTI launch. Once we've authenticated, we get back the LTI launch data.

The old doOidcLoginRedirect() method used to build a Redirect object. Then our platform could figure out how use that. Your options were to 1) just get the URL, 2) redirect using the PHP header() function, 3) create an auto-submitting javascript form, or 4) do a weird hybrid of 2 and 3.

I'm taking the opinion here that this package shouldn't have any business deciding how the redirect should be executed. Both options 2, 3, and 4 seem to go against how most modern web frameworks work in practice. We shouldn't be building auto-submitting javascript forms. Nor should we be setting headers and exiting the application. If you want to use either of those approaches in your application, you should do that within your application code.

That leaves us only with option 1 - returning the URL. In that case it seems pointless to have a Redirect object whose only purpose is to return a url. We might as well just have the LtiOidcLogin return that URL directly. Hence, I'm recommend we deprecate doOidcLoginRedirect() in favor of the new getRedirectUrl().

@dbhynds dbhynds requested a review from JesseBarron December 14, 2023 20:32
JesseBarron
JesseBarron requested changes Dec 14, 2023
View reviewed changes
Copy link

@JesseBarron JesseBarron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dbhynds - I have a few questions but other than that I was able to confirm that LTI launch still works on the platform.

src/LtiOidcLogin.php Outdated
* @param string $launchUrl URL to redirect back to after the OIDC login. This URL must match exactly a URL white listed in the platform.
* @param array $request An array of request parameters. If not set will default to $_REQUEST.
* @return Redirect returns a redirect object containing the fully formed OIDC login URL
* @deprecated Use getRedirectUrl() to get the URL and then redirect to it yourself
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we know at what version doOidcLoginRedirect will be removed? if so, could we mention that in the comment?

src/LtiOidcLogin.php Outdated
Comment on lines 56 to 58
if ($request === null) {
$request = $_REQUEST;
}

if (empty($launchUrl)) {
throw new OidcException(static::ERROR_MSG_LAUNCH_URL, 1);
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$launchUrl seems important enough to warrant this validtation. Why was it removed?

src/Redirect.php
@@ -18,6 +21,7 @@ public function __construct(string $location, ?string $referer_query = null)

public function doRedirect()
{
trigger_error('Method '.__METHOD__.' is deprecated', E_USER_DEPRECATED);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be overkill but shouldn't a deprication warning be also be shown for getRedirectUrl?

@dbhynds dbhynds requested a review from JesseBarron December 15, 2023 16:09
@dbhynds dbhynds merged commit 70743a4 into master Dec 15, 2023
3 checks passed
@dbhynds dbhynds deleted the oidc-login-url branch December 15, 2023 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JesseBarron JesseBarron JesseBarron approved these changes

Assignees

@JesseBarron JesseBarron

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dbhynds @JesseBarron