EPIC: IMS LTI 1.3 Certification

klemay commented 5 years ago

[x] Becoming an IMS member (login info is in Passpack)
[x] Deciding which LTI version numbers we want to obtain certification for (Right now that's 1.1 and 1.3 - see discussion in Slack)
~Implement 1.1 security update (only if we can't get 1.1 certified by Dec 31 2019) (spike: https://github.com/hypothesis/lms/issues/876)~
[x] Implement 1.3 (spike: https://github.com/hypothesis/lms/issues/877)
[ ] Running the software testing suite for each version (Testing suites can be accessed here; you'll need our login to access)
- [ ] Testing for 1.1 (https://github.com/hypothesis/lms/issues/932)
  - Note that cert for 1.1 and 1.3 can happen concurrently; for example we're not blocked from testing for 1.1 if we haven't implemented 1.3 yet.
- [ ] Testing for 1.3 (https://github.com/hypothesis/lms/issues/933)
[ ] Submitting test results and receiving confirmation of certification

LTI 1.3 Migration

As part of https://github.com/hypothesis/lms/issues/850, Rob covered the gist of the problem in 2019:

Are we compatible with LTI 1.3?

I had a read through of the LTI 1.3 specs this morning [1]. In short, implementing LTI 1.3 is a substantial project. Our "LMS" application is currently an "LTI 1.0/1.1 Tool Provider". LTI 1.3 preserves many of the basic concepts of LTI 1.1, but the security protocols on which it is built are different [2], and this significantly changes the registration process, flow of execution when launching an LTI assignment, and methods used by the LTI tool to pass back grades and other information to the LMS.

The LTI 1.3 specifications are quite recent and Canvas has only just implemented LTI 1.3 + associated specs for grading and other extensions ("LTI Advantage") behind a feature flag.

Due to changes in the information required by the Hypothesis LMS app and the LMS itself for an LTI 1.3 tool, separate registration documentation + guides will most likely be required for LTI 1.3.

[1] The specs are comprised of IMS Security Framework which explains how the LTI tool and the LMS communicate securely, the LTI 1.3 core specification which explains how a basic "External tool" assignment/content is created using LTI 1.3 and additional specifications which cover "deep linking" and reporting of grades/progress from the LTI tool back to the LMS.

[2] In technical terms, LTI 1.0/1.1 uses OAuth 1.0, LTI 1.3 uses OAuth 2 and OpenID Connect. LTI 1.3 also has a more complex launch flow to fix a security issue with LTI 1.0 where a malicious student (call them Mallory) could, in theory, trick another student (call them Alice) into doing an assignment under Mallory's identity.

Resources

Recommended

Official migration guide by IMS: https://www.imsglobal.org/spec/lti/v1p3/migr/
A GitHub repo from IMS with several great resources, including reference implementations in Python: https://github.com/IMSGlobal/ltibootcamp
A webinar in which they go over the migration process, including gotchas related to each LMS: https://www.youtube.com/watch?v=sg0dhf5j2xs

Optional

(Optional) https://www.youtube.com/watch?v=BdciB0HcoYQ&t=8s
(Optional) LTI Advantage implementation guide: https://www.imsglobal.org/spec/lti/v1p3/impl/#introduction-0

seanh commented 4 years ago

I've created a separate epic for 1.1 certification only: https://github.com/hypothesis/lms/issues/1130

marcospri commented 2 years ago

This is now done: https://site.imsglobal.org/certifications/hypothesis/hypothesis

Ideally we could extend our certification to cover "Deep Linking" and "Names and Roles" but that can be tracked in a different issue.

hypothesis / lms

EPIC: IMS LTI 1.3 Certification #705

LTI 1.3 Migration

Resources