Open benbarefield opened 1 year ago
benbarefield
commented
1 year ago I'm realizing that the ltik is just a jwt, and I can get the information I need from that. I'm going to leave this open until I'm 100% sure about that because there may still be something I'm missing.
Cvmcosta
commented
1 year ago Hello @benbarefield I don't think i understand your question. What do you mean by Verify and get the user ID? You have access to the ID Token (res.locals.token) in any endpoint created by Ltijs (lti.app.get(...)) that is accessed using the ltik key.
benbarefield
commented
1 year ago @Cvmcosta The endpoints I'm accessing are not created by Ltijs, but this was mostly a lack of understand about the ltik being a jwt, and a misreading of the code that was using Auth.verify. I think I can just close this, sorry for the bother.
benbarefield
commented
1 year ago Hi @Cvmcosta, I think I have a better understanding of things now, and this is still, maybe, an issue I need to solve. I'm using ltijs as middleware for a pre-existing app I have built (like https://cvmcosta.me/ltijs/#/provider?id=deploying-ltijs-as-part-of-another-server).
So I'm trying to determine the best way to make it so that a session can survive a page refresh (my tool is opened in a separate tab, not an iframe within the LMS). It'd be great if I could make sure of the httpOnly cookies that ltijs provides, but I think I'd need to go through a similar process as in this if block https://github.com/Cvmcosta/ltijs/blob/c1e3120a3362cac10eceaaa5a015ca74f692270a/src/Provider/Provider.js#L224 to recreate the ltik.
ssciolla
commented
1 year ago Hi @benbarefield, not exactly sure what you're trying to do or what architecture or frameworks you're dealing with, but something like what our team did may be what you're looking for. Rather than rely on the ltik for guarding your API endpoints, basically you hook into your own authentication service and create your own JWT/cookies in the provider.onConnect callback. See https://github.com/tl-its-umich-edu/canvas-course-manager-next/blob/74c449c5bb02f92cdb889bb5490e2601f653d888/ccm_web/server/src/lti/lti.service.ts#L83-L96 This was inspired by a pattern we saw in this project: https://github.com/txstate-etc/attendance-node
benbarefield
commented
1 year ago @ssciolla absolutely, I saw one of your previous posts and looked at this code: it was helpful, thanks! We didn't roll our own auth system (using AWS Cognito), so there's some challenges involved in that. But writing this response is making me realize I should double check some of my assumptions about Cognito to see how practical this approach would be.
Thank you very much for this work, it's fantastic! I feel like I'm totally missing something, but maybe not:
Is your feature request related to a problem? Please describe. I'm using ltijs in
serverlessmode to add LTI into an already existing app, so I have some endpoints that do authentication of the user (passing a token in the header). I'd like the client to be able to use these same endpoints using the ltik as the token.Describe the solution you'd like I'd love to be able to verify (and get the user ID) from a request that contains the ltik in the header (and the session cookie). This could be done by exporting Utils/Auth or providing an additional public API on Provider.
Describe alternatives you've considered Either rewriting things to be hosted out of the ltijs express instance or cloning Utils/Auth for my own purposes.