Login/Register
LTI Launch Authentication with Node.js
Asked Answered
Solved node.jsauthenticationexpressoauthlti
O

2

7

I have created a simple 'hello-world' web app using express.js framework.

I want the app to be IMS-LTI Compliant so that moodle and other Learning Management Systems can launch it as an external tool.

However, I do not understand how to authenticate the LTI launch in my app (it uses oauth), and I cannot find any express.js/node.js examples of how it's done either. I see that a passport-lti node module exists (https://www.npmjs.org/package/passport-lti), but as a noob with node I just don't understand the sparse documentation.

I have used passport.js to create local authentication - using this video (https://www.youtube.com/watch?v=twav6O53zIQ), I was hoping for similar help for the LTI launch authentication...

Any help is appreciated.

Cheers, Ollie

Oliviero answered 5/12, 2014 at 15:44 Comment(2)
I managed to work this out in the end. I hadn't realised that the node modules come with test code as well as documentation. I used the test code to understand how to do it.Oliviero
if you dont mind, can you please post your answer here ?Gemot
B
1

When an LTI Tool Consumer (i.e. an LMS) launches an LTI Application (Tool Provider) The LTI Tool is sent an HTTP Post.

In order to authenticate that the post is legitimate, you need to verify that the post variable 'oauth_signature' is valid by recomputing the signature locally using the shared secret key that you exchanged with the Tool Consumer when the LTI tool was configured.

The act of verifying the OAuth signature is likely handled by an OAuth library .. nodejs already has these, so please don't reimplement one.

You can read the full process of validating the launch request in the IMS Global documentation

Bookbinder answered 8/8, 2017 at 18:25 Comment(0)
L
4

Just wanted to mention that I ended up doing a working example of this awhile back.

https://github.com/ripples/Present/blob/master/server/app.js#L35

passport.use('lti-strategy', new CustomStrategy(
    function(req, callback) {
        var val = (req.body) ? req.body : req.user      
        try{
            var provider = new lti.Provider(val , process.env.LTI_SECRET)   
            if(req.user){
                callback(null, val)         
            }
            else{
                provider.valid_request(req, function(err, isValid) {
                    if(err){
                        console.log("LTI Error", err, isValid)
                    }
                    callback(err, val)
                });
            }       
        }
        catch(err){
            console.log("Authenication error", err)
            callback(err, null)
        }
    }
))

I ended up doing a custom passport strategy and using another library to do the authentication.

https://github.com/omsmith/ims-lti

It's that new lti.Provider bit, the key is that it takes in the LTI post req object to do auth.

Liatrice answered 7/2, 2018 at 19:5 Comment(5)
I was able to install it in my node.js server, but I am getting stuck on how to use it.Egbert
@aless80, I can't help you if you don't give a more precise example of where you're stuck/what's not working. One guy I helped with this had an issue with his heroku setup.Liatrice
You are right, and I would have to try your code again. What was confusing me was the code ims-lti. It looks like parentheses were omitted in the code of the documentation. I ended up adapting the example from here: community.canvaslms.com/thread/…Egbert
I am trying PAOL Present and start-pm2-prod does not runEgbert
Can you be more detailed or post the issues on the actual repo? I am no longer at the institution maintaining it, though am aware I probably have one of the few lti passport implementations working in the FOSS community. It's meant to run with PAOL, which is a whole lecture capture system. I haven't worked on it in years now. I'd suggest looking at the source as opposed to it functioning.Liatrice
B
1

When an LTI Tool Consumer (i.e. an LMS) launches an LTI Application (Tool Provider) The LTI Tool is sent an HTTP Post.

In order to authenticate that the post is legitimate, you need to verify that the post variable 'oauth_signature' is valid by recomputing the signature locally using the shared secret key that you exchanged with the Tool Consumer when the LTI tool was configured.

The act of verifying the OAuth signature is likely handled by an OAuth library .. nodejs already has these, so please don't reimplement one.

You can read the full process of validating the launch request in the IMS Global documentation

Bookbinder answered 8/8, 2017 at 18:25 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.