search

oxctl / spring-security-lti13

A LTI 1.3 implementation for Spring Security that builds on the OAuth2 support
Apache License 2.0
14 stars 7 forks source link

Is it possible to run without authorization-uri and token-uri #8

Closed CharlesYWL closed 3 years ago

CharlesYWL commented 3 years ago

Hi Developers,

I'm currently using this package to develop tools and I just want to know if possible to run without authorization-uri and token-uri.

Because in IMS Global, it's OK that we make a dummy tool that don't have either authorization-uri or token-uri.

buckett commented 3 years ago

@CharlesYWL Are you wanting to run without using the OpenID Connect Flow? Are you using the IMS LTI Reference Implementation (lti-ri.imsglobal.org) that allows you to post the JWT directly to the tool with the button "Launch Resource Link"?

This library was designed around supporting the OpenID Connect flow as outlined in the IMS Security Framework 1.0: https://www.imsglobal.org/spec/security/v1p0/#platform-originating-messages

If you are not wanting to use that flow then it's really just a case of verifying the JWT that is sent in the id_token parameter on the POST.

buckett commented 3 years ago

If you think it's worth the library supporting LTI launches without the OpenID Connect flow just re-open the issue and outline why.