LTI Launch is a project designed to assist in the development of Java based LTI applications that work with the Canvas LMS. It provides functionality to authenticate the OAuth signature of an LTI launch request. After the launch request is verified, the user is forwarded to an initial view specified by the implementing application.
- Java 8
- Maven (Compatible with 3.5.2, requires 3.1+)
- Spring 5.1.13
- Spring Security OAuth
The best way to understand how to use this is to look at the sample application https://github.com/oxctl/lti-demo
The lookup of tool consumers when handling an LTI launch is done by ToolConsumerService
and there is simple
implementation in SingleToolConsumerService
.
This project is deployed to the central repository, once ready to release you can have the release plugin tag everything:
mvn -Prelease release:clean release:prepare
then if that completes successfully a release bundle can be pushed to the staging area of the Sonatype OSS repository with:
mvn -Prelease release:perform
We don't automatically close the staged artifacts so after checking that the files are ok you can login to the repository and release it.
The project uses several variables from the LTI launch:
custom_canvas_user_login_id
- If set this will be used as the username on the created principal.lis_person_sourcedid
- If the canvas specific username isn't found this will be used as the username on the created principal.context_id
- If set this will be used to say the context for which the principal is valid.resource_id
- Ifcontext_id
is unset then this will be used to give the principal a context.roles
- The roles are extracted from this value and set on the returned principal.custom_canvas_user_isrootaccountadmin
- Iftrue
then theROLE_ROOT_ADMIN
role is added to the principal.
This library also allows any project uses this to prevent LTI launches from different domains. Todo this it uses some more LTI variables to detect this:
custom_canvas_api_domain
- If set this value is used to determine where the LTI launch came from.launch_presentation_return_url
- Ifcustom_canvas_api_domain
isn't set then this is used to determine where the LTI launch came from.
If you are having problems with OAuth signatures not matching you should enable debug logging on edu.ksu.lti.launch.spring.config.LtiAuthenticationFilter
and this will output the string that is being checked and the signature that it should match.
A common problems is that the request is made as HTTPS to a proxy infront of the application and is then passed through as HTTP and this causes a signature mismatch because the the request URL that is checked doesn't matche the request URL that the signature was generated against.
A helpful online tool to check the LTI signature is: https://lti.tools/oauth/ This allows you to enter the parameters you are going to send and check that the signature it generates is the same as you are expecting.
This software is licensed under the LGPL v3 license. Please see the License.txt file in this repository for license details.
Currently nonces are store in memory, this means that in a multi node deployment the same launch can be replayed against multiple nodes as there is no syncing of nonces between them.
This project is currently a fork from the Kansas State University lti-launch codebase and owes it's existence to that project.