Releases: openedx/xblock-lti-consumer
7.1.0 Allow disabling NRPS pii
feat: adds setting to prevent nrps pii (#315) We would like to enable PII in an LTI1.3 launch but turning that flag on would allow the tool to grab PII for the entire course roster via NRPS. We have not fully evaluated the privacy concerns if that is allowed. For the time being this platform setting can wholly disable PII over NRPS to avoid the issue
7.0.3 Remove LMS Waffle on model
fix: remove lms specific waffle check (#312) * fix: remove lms specific waffle check
Fix LTI 1.1 Basic Outcomes Service and LTI 2.0 Result Service to Support External User IDs
In #307, we added the ability to send a stable, static user identifier (i.e. external user ID) to fix failed launches with the QwikLabs tool. This is because the QwikLabs tool did not work with the course-anonymized user IDs we used to send (i.e. anonymous user IDs). Inadvertently, this change broke the LTI 1.1 Basic Outcomes Service and the LTI 2.0 Result Service for courses that use the external user ID (i.e. they have the lti_consumer.enable_external_user_id_1p1_launches CourseWaffleFlag enabled). The Basic Outcomes Service and Result Service handle grade pass backs. Because we now have two ways to identify a user in LTI 1.1/2.0, we must update the Basic Outcomes Service and Result Service to support both.
- Fix the LTI 1.1 Outcome Results Service to be able to tie an outcome pass back to a user when the user ID is an
external_user_id. - Fix the LTI 2.0 Result Service to be able to tie a result pass back to a user when the user ID is an
external_user_id. - Update the
RESULT_SERVICE_SUFFIX_PARSERregex string to be able to parse UUIDs to accommodateexternal_user_ids. - Add a
get_lti_1p1_user_from_user_idmethod to theLtiConsumerXBlockto get the user object associated with a user
ID.
Fix LtiConfiguration clean method to look only at location not block
Fix LtiConfiguration clean method to look only at location so that it can work in environments that cannot load the block.
refactor: replace deprecated runtime attributes
What's Changed
- Fix github url strings (org edx -> openedx) by @sarina in #280
- refactor: replace deprecated
rebind_noauth_module_to_user,get_real_user,runtime.hostname,runtime.course_id[BD-13] by @tecoholic in #249
Full Changelog: 6.4.0...v7.0.0
Contributors
Assets 2
adds support for sending external_user_id as user_id in LTI 1.1 XBlock launches
Adds support for sending an external_user_id in LTI 1.1 XBlock launches. When the
lti_consumer.enable_external_user_id_1p1_launches CourseWaffleFlag is enabled, the LTI 1.1 launch will send an
external_user_id as the user_id attribute of the launch. When the lti_consumer.enable_external_user_id_1p1_launches
CourseWaffleFlag is disabled, the LTI 1.1 launch will continue to send the anonymous_user_id. The external_user_id is
defined, created, and stored by the external_user_ids Djangoapp in edx-platform.
adds support for LTI 1.3 Proctoring Service specification in-browser proctoring launch
- Adds an
Lti1p3ProctoringLaunchDatadata class. It should be included as an attribute of theLti1p3LaunchDatadata class to provide necessary proctoring data for a proctoring launch. - Adds an
LtiProctoringConsumerclass. This class is used to generate LTI proctoring launch requests and to decode and validate the JWT send back by the Tool with theLtiStartAssessmentmessage. - Adds an
lti_1p3_proctoring_enabledBooleanFieldto theLtiConfigurationmodel. This field controls whether proctoring is enabled for a particular LTI integration. - Modifies the
launch_gate_endpointto supportLtiStartProctoringandLtiEndAssessmentLTI launch messages. - Adds a
start_proctoring_assessment_endpointto supportLtiStartAssessmentmessages from the Tool. - Adds an
LTI_1P3_PROCTORING_ASSESSMENT_STARTEDsignal. This signal is emitted when theLtiStartAssessmentmessage is sent from the Tool to inform users of the library that theLtiStartAssessmentmessage has been received.
6.1.0 greatly reduce block load to fix studio issues
6.0.0 broke studio functionality because it leaned more heavily on the xblock load which only worked in the LMS.
Fix by greatly limiting when we attempt a full xblock load and bind.
6.0.0 use config_id from launch data in API instead of block or config.id
BREAKING CHANGE:
Please note that additional breaking changes will be forthcoming in future versions of this library.
Modified Python API methods to use config_id (the UUID field) exclusively rather than config.id or block.
For the functions changed in 5.0.0 the config_id is available in the launch_data.
Other functions had config.id changed to config_id and block removed as an argument.
The new function config_id_for_block gets that config ID if all you have is a block.
Fix Failing LTI 1.3 Launch Due to Clickjacking Protection and Incorrect Authentication Response/Launch URL
X-Frame-Options DENY response header prevents LTI 1.3 launch
This commit fixes a bug caused by the X-Frame-Options response header. The X-Frame-Options response header indicates to the browser whether a site's content can be loaded within certain tags, including the <iframe> tag. This is a form of clickjacking protection.
In Django, this response header is set by the django.middleware.clickjacking.XFrameOptionsMiddleware middleware. In the edx-platform, by default, X-Frame-Options is set to DENY (see the X_FRAME_OPTIONS Django setting), which means that the response content returned by Django views cannot be loaded within certain tags. However, this behavior can be disabled by decorating views with the django.views.decorators.clickjacking.xframe_options_exempt view decorator.
This creates a problem for LTI 1.3 launches in the edx-platform. When an LTI component is loaded, the LtiConsumerXBlock is loaded via the lms.djangoapps.courseware.views.views.render_xblock_view view. This view is called in an <iframe> tag, but the view is decorated by the xfame_options_exempt decorator, which disables clickjacking protection and communicates to the browser that the content can be loaded in the <iframe> tag.
Once the third-party login request of the LTI 1.3 launch is completed, the LTI tool directs the browser to make a request to the launch_gate_endpoint. This endpoint returns a response, which is an auto-submitting form that makes a POST request - the LTI launch request - to the tool. This view has clickjacking enabled, so the browser blocks the requests, which prevents the launch from occurring.
This commit adds the xframe_options_exempt view decorator to the launch_gate_endpoint view.
Note that LTI 1.1 does not have this bug, because the LTI launch request is handled via the lti_launch_handler. The XBlock runtime handles requests to the LTI handlers via the openedx.core.djangoapps.xblock.rest_api.views.xblock_handler view, which is also decorated by the xframe_options_exempt view decorator.
LTI 1.3 launch URL should be redirect_uri provided by Tool in authentication request
This commit fixes a bug in the way we determine where to send the authentication response - the LTI 1.3 launch message - as part of an LTI 1.3 launch.
According to the 1EdTech Security Framework 1.0, during an LTI 1.3 launch, "the authentication response is sent to the redirect_uri." The redirect_uri is a query or form parameter provided by the tool when it directs the browser to make a request to the Platform's authentication endpoint. However, we currently send the authentication response to the preregistered launch URL - lti_1p3_launch_url in the LtiConsumerXBlock or the LtiConfiguration model. The difference is subtle, but it is important, because the specification indicates the Platform should respect the redirect_uri provided by the Tool, assuming it is a valid redirect_uri.
During the pregistration phase, "the Tool must provide one or multiple redirect URIs that are valid end points where the authorization response can be sent. The number of distinct redirect URIs to be supported by a platform is not specified." Currently, we do not support multiple redirect URIs, so the change is not immediately impactful. However, we should follow the specification and ensure that we return the authentication response to the correct URL.