LTI Launch Request Handler

[smadbe]

Overview

Our platform has to support LTI (Learning Tools Interoperability) for being able to integrate into other learning platform such as EdX.

Basically, as a LTI Provider, our items will be opened in an iframe by the LTI Consumer, with some LTI-specific authentication. We have to handle this request (LTI Launch request)(POST), handle the auth (ask login-module), and redirect to the content.

See workflow here.

On POST /lti/launch?redirect_to=...

DB Prerequisite

New table lti_cookies "Authorized user's cookies for LTI sessions" with

• cookie PK
• lti_user_id string(255) not null
• user_id FK to users.id
• expires_at

Input

POST input:

• lti_message_type must be "basic-lti-launch-request"
• other lti parameter not checked as they are forwarded to the authenticator URL input:
• redirect_to: encoded url to which the user has to be redirected after a success authentication (typically, the url of the frontend with a reference to the content).

Output

Redirect 303 to the redirect_to url.

Actions

• If no "lti_session" cookie is provided or lti_cookies.lti_user_id does not matches the user_id provided in POST:
  • send a POST /platform_api/lti/entry to login platform with { "post_params": <the post params>, "http_method": "POST", "http_url": <the full url of this service> }
  • on success:
    • if it is a new user:
      • create the user (with the usual things around)
      • put the user in the group with as textid "lti", if it exists
    • store the returned token in sessions
    • generate a cookie, valid 2h, stored in lti_cookies
    • set cookie
• Redirect 303 to the decoded redirect_to url

[smadbe]

Not required anymore as the workflow has changed.