adlnet / xAPI-Spec

The xAPI Specification describes communication about learner activity and experiences between technologies.
https://adlnet.gov/projects/xapi/
908 stars 403 forks source link

xAPI LRS as oAuth Provider #1110

Open kellertobias opened 1 year ago

kellertobias commented 1 year ago

Hello. the company I work for is thinking about implementing xAPI in our product. Do I understand https://github.com/adlnet/xAPI-Spec/blob/1.0.2/xAPI.md#security correctly, that an xAPI LRS can be used to authenticate a user agains using the oAUTH workflow? (so similar to google or facebook social login)?

The goal is to have the user that is known by the other LMS/ LRS to log into our application without the need to explicitly create a user account or sync the list of available users in our application first.

vbhayden commented 1 year ago

OAuth is an option, but not every LRS will have it etc.

TL;DR: LRS credentials themselves are more for distinguishing which system (or LRS tenant, in the case of multi-tenant solutions) is actually sending the xAPI statements.

For your specific situation, an LMS user doesn't typically log into the LRS themselves -- or even need to know that the LRS exists at all tbh. xAPI statements and information about a user are typically sent by a module within the LMS itself, which would have its own LRS credentials for handling that communication. The statement's actor property will identify the user in question as the subject of the statement, so users aren't required to have unique credentials to attribute them to xAPI statements, but there might be an LRS solution out there which takes this approach.

Hope that helps some, -Trey