OAuth Authentication

[SteelWagstaff]

We’re running an instance of Pressbooks with the hypothesis plugin installed and networked activated. We want to have the option of giving users one login to gain access to both Pressbooks and Hypothesis (when the hypothesis plugin is installed and activated for a book). We’re also looking at bringing Pressbooks into our Learning Management System via LTI, and would love to be able to use a user's university credentials to create and provision these accounts. Following conversations I've had over the past several months with @jeremydean, @judell, and @robertknight, I have some questions about what we might be able to do regarding automatic provision of hypothesis accounts for users who access one of our books published with Pressbooks and the Hypothesis plugin when launched via LTI in a learning management system.

I'd love to see:

1) whether we can configure the hypothesis plugin for WordPress to implement a ‘third-party account’ using the reference implementation at https://github.com/hypothesis/publisher-account-test-site. If we’re successful with this, this may perhaps allow us to automatically create Hypothesis accounts when new Pressbooks accounts are created?

2) Set up our Pressbooks instance to allow SSO with a Shibboleth plugin. This means that users would use their ‘NetID’ to create a Pressbooks user account, either at our public Pressbooks instance or when a book is launched in our Learning Management System via LTI. If step 1 were properly configured, they may also be able to generate a third-party hypothesis account at the same time.

[judell]

"configure the hypothesis plugin for WordPress to implement a ‘third-party account’"

That's doable now. Hypothesis auto-provisioned users would live in a particular type of group (aka 3rd-party namespace) that would need to be allocated by Hypothesis on a per-instance-of-plugin basis. Their Hypothesis identities would (presumably) be derived from their WordPress identities, and would exist only in the context of pages served by that plugin.

"Set up our Pressbooks instance to allow SSO with a Shibboleth plugin"

Also doable now. From the perspective of an implementation of reference implementation at https://github.com/hypothesis/publisher-account-test-site, the source of identity can be anything.

"or when a book is launched in our Learning Management System via LTI"

Again doable now w/respect to 3rd party accounts.

Near future (work underway now): Enable an LMS integration to auto-provision Hypothesis users who aren't restricted to 3rd-party namespaces, and auto-provision them into, e.g. private groups allocated for use by courses or sections.

How the existing 3rd-party mechanism and the forthcoming LMS mechanism will align is something we'll know more about once the latter is done.

[jeremydean]

Enable an LMS integration to auto-provision Hypothesis users who aren't restricted to 3rd-party namespaces

I don't think this is true. I believe the LMS app will be working with 3rd party accounts as well. @lyzadanger @seanh

I'm also a little confused what you mean by "doable" above, Jon. If this--"configure the hypothesis plugin for WordPress to implement a ‘third-party account’"--for example, is possible now, can we add the code to the WP plugin to make it an option for users?

[lyzadanger]

I believe the LMS app will be working with 3rd party accounts as well.

This is correct. The LMS app has its own associated authority. Provisioned users for LMS will be third-party.

[SteelWagstaff]

Hey good people at Hypothesis. Wondering if this might a conversation we could pick up on again now that your LTI tool work has advanced. Can anyone provide a brief summary of the 'state of the possible' regarding LTI authentication and third-party account provision these days (what @judell called the "3rd party mechanism and the forthcoming LMS mechanism" above)?

[judell]

I too have been thinking about how the LMS/LTI work advances the (nice phrase!) state of the possible.

Here's how it looks to me:

What's running at elifesciences.org, for which the worked example is https://github.com/hypothesis/publisher-account-test-site, might be called v1 of Hypothesis 3rd-party authentication. It enables a partner site to auto-provision 3rd-party Hypothesis identities within a statically-defined group.

What might be called v2 enables our LMS app to auto-provision 3rd-party Hypothesis identities within groups that are also auto-provisioned. There is not yet a simple worked example of that, i.e. a v2 counterpart to https://github.com/hypothesis/publisher-account-test-site extracted from https://github.com/hypothesis/lms. I think that's doable, since the core user-and-group-provisioning machinery isn't LMS/LTI-specific. And I think having such a counterpart would advance this discussion.

But first things first: gotta ship the LMS app with user/group provisioning!

[jeremydean]

The conversation I'd be interested in hearing--and particularly hearing @lyzadanger's thoughts on--is about what it looks like to distribute and then unify 3rd party account creation with Hypothesis across multiple platforms.

I may be using terms wrong, but we have "SSO" for elife. we (soon will) have SSO for LMSs. how do we continue to provide that type of SSO service in a reproducible (portable?) way to other platforms?

The question THEN becomes, in both publishing and education I think, how does an H account provisioned through SSO in platform one (elife or Canvas, say) become connected to a user's use of H on another platform (another publisher embedding h or my school's Wordpress install).

So from @steelwagstaff's POV, the simple version of the question is "how do we get SSO (like you have in Canvas) in Pressbooks" so users in PB don't need to sign in to use H--which is easily embedded in any PB book? Since PB is Wordpress based, the same question might be articulated: how could a WP website (or group of websites) provision H accounts for its registered users?

PB and WP work with LTI, right Steel? But is it that simple? What do we actually need to do to make our LTI SSO/provisioning work workable in WP and PB? Or Coursera and edX which also work with LTI and which I've been asked about recently by partners?

But THEN a bigger question comes up--and I know @SteelWagstaff is interested in this too: if a student at U of Indiana has been provisioned an H account through a Canvas course, how can H recognize her if she launches the client through a Pressbooks book site (or a Coursera course)? And perhaps even more complexly, how can H sort all the identity stuff out if that Pressbooks book is launched within a Canvas course via LTI?

My hope is that @lyzadanger's reworking of our identity model will be helpful here. But this is definitely stuff we need to be thinking long term on for our product. CC @ajpeddakotla. Clearly the first and biggest question any institution (school, publisher, whatever) will ask is: how do I get it so my users don't need to manually created accounts?

[SteelWagstaff]

Hey good people--anyone working on the H project with dev skills have further thoughts on this question?

[judell]

Here's the update since my July comment, https://github.com/hypothesis/product-backlog/issues/718#issuecomment-404968679

1. whether we can configure the hypothesis plugin for WordPress to implement a ‘third-party account’ using the reference implementation at https://github.com/hypothesis/publisher-account-test-site. If we’re successful with this, this may perhaps allow us to automatically create Hypothesis accounts when new Pressbooks accounts are created?

The answer to that was and is yes, if you're able to adapt that reference implementation to WordPress.

2. Set up our Pressbooks instance to allow SSO with a Shibboleth plugin

The answer also was and is yes because, given 1, the source of identity doesn't matter to an implementation that uses those identities to auto-provision H users in a 3rd-party authority. So if your adaptation of the reference implementation can receive Shibboleth-managed identities, it can provision those into Hypothesis authorities.

The Hypothesis LMS app uses the same 3rd-party mechanism as the reference implementation. A PressBooks LTI app could also do that. Its source of identity would be the LMS, it would provision H users (and groups) into Hypothesis authorities accordingly. The big change since July is the ability to provision groups, as well as users, within the authority.

One thing that hasn't changed since July: Users in these 3rd-party authorities are isolated populations, not connected to accounts in the primary Hypothesis service.

[SteelWagstaff]

Thanks Jon. I'll take this back to Pressbooks devs and we'll see what we might be able to experiment with (or build) on top of our LTI provider plugin.

[judell]

Sounds good. I'll help with setup and translation of the example, but it's best if actual WordPress expertise is brought to bear on building the plugin. We'd love to see this happen!