I recently upgraded to 2.18. I attempted to move all the appropriate authentication parameters from authen_LTI.conf
to authen_LTI_1_1.conf
and do the other necessary edits, but I must have missed something, because the authentication does not work. This is what I get in the debug file when trying to connect to an assignment:
[Wed Aug 16 12:05:21.111816 2023] (eval):
===> Begin WeBWorK::dispatch() <===
[Wed Aug 16 12:05:21.111996 2023] (eval): Hi, I'm the new dispatcher!
[Wed Aug 16 12:05:21.112099 2023] (eval): --------------------------------------------------------------------------------
[Wed Aug 16 12:05:21.112180 2023] (eval): Okay, I got some basic information:
[Wed Aug 16 12:05:21.112254 2023] (eval): The site location is /webwork2
[Wed Aug 16 12:05:21.112324 2023] (eval): The request method is GET
[Wed Aug 16 12:05:21.112457 2023] (eval): The URI is /webwork2/Math223_Wi23_JHlavacek/WhatIsLinearAlgebra
[Wed Aug 16 12:05:21.112536 2023] (eval): The argument string is
[Wed Aug 16 12:05:21.112606 2023] (eval): --------------------------------------------------------------------------------
[Wed Aug 16 12:05:21.112720 2023] (eval): The path is /Math223_Wi23_JHlavacek/WhatIsLinearAlgebra/
[Wed Aug 16 12:05:21.112816 2023] (eval): The current route is problem_list
[Wed Aug 16 12:05:21.112889 2023] (eval): Here is some information about this route:
[Wed Aug 16 12:05:21.112981 2023] (eval): The display module for this route is WeBWorK::ContentGenerator::ProblemSet
[Wed Aug 16 12:05:21.113054 2023] (eval): This route has the following captures:
[Wed Aug 16 12:05:21.113126 2023] (eval): courseID => Math223_Wi23_JHlavacek
[Wed Aug 16 12:05:21.113198 2023] (eval): controller => ProblemSet
[Wed Aug 16 12:05:21.113274 2023] (eval): setID => WhatIsLinearAlgebra
[Wed Aug 16 12:05:21.113343 2023] (eval): action => go
[Wed Aug 16 12:05:21.113412 2023] (eval): --------------------------------------------------------------------------------
[Wed Aug 16 12:05:21.113479 2023] (eval): Now we want to look at the parameters we got.
[Wed Aug 16 12:05:21.113546 2023] (eval): The raw params:
[Wed Aug 16 12:05:21.113641 2023] (eval): --------------------------------------------------------------------------------
[Wed Aug 16 12:05:21.113713 2023] (eval): We need to get a course environment (with or without a courseID!)
[Wed Aug 16 12:05:21.121656 2023] (eval): Here's the course environment: WeBWorK::CourseEnvironment=HASH(0x558ce5815cd8)
[Wed Aug 16 12:05:21.122095 2023] (eval): Using user_authen_module WeBWorK::Authen::LTIAdvanced: WeBWorK::Authen::LTIAdvanced=HASH(0x558ce594f4c8)
[Wed Aug 16 12:05:21.122210 2023] (eval): We got a courseID from the route, now we can do some stuff:
[Wed Aug 16 12:05:21.122299 2023] (eval): ...we can create a database object...
[Wed Aug 16 12:05:21.130766 2023] (eval): (here's the DB handle: WeBWorK::DB=HASH(0x558ce5810378))
[Wed Aug 16 12:05:21.130902 2023] WeBWorK::Authen::verify: BEGIN VERIFY
[Wed Aug 16 12:05:21.130991 2023] WeBWorK::Authen::LTIAdvanced::request_has_data_for_this_verification_module: LTIAdvanced has been called for data verification
[Wed Aug 16 12:05:21.131133 2023] WeBWorK::Authen::LTIAdvanced::request_has_data_for_this_verification_module: LTIAdvanced returning that it has insufficent data
[Wed Aug 16 12:05:21.131327 2023] WeBWorK::Authen::verify: BEGIN VERIFY
[Wed Aug 16 12:05:21.131423 2023] WeBWorK::Authen::do_verify: db ok
[Wed Aug 16 12:05:21.131506 2023] WeBWorK::Authen::get_credentials: self is WeBWorK::Authen::Basic_TheLastOption=HASH(0x558ce594f4e0)
[Wed Aug 16 12:05:21.131715 2023] WeBWorK::Authen::fetchCookie: found no cookie for this course. returning nothing.
[Wed Aug 16 12:05:21.132135 2023] WeBWorK::Authen::verify: END VERIFY
[Wed Aug 16 12:05:21.132228 2023] WeBWorK::Authen::verify: result 0
[Wed Aug 16 12:05:21.132315 2023] (eval): Bad news: authentication failed!
[Wed Aug 16 12:05:21.132389 2023] (eval): Rendering WeBWorK::ContentGenerator::Login
The student is presented with the login screen. It seems like there are no LTI data provided at all.
Here is the contents of my authen_LTI.conf
:
#!perl
#
################################################################################################
# Configuration for using LTI authentication.
# To enable this file, uncomment the appropriate lines in localOverrides.conf
# The settings in this file apply to both LTI 1.1 and LTI 1.3 authentication.
# The settings specific to the LTI 1.1 authenticatio are in authen_LTI_1_1.conf.
# The settings specific to the LTI 1.3 authenticatio are in authen_LTI_1_3.conf.
################################################################################################
# Set debug_lti_parameters to 1 to have LTI calling parameters printed to HTML page for
# debugging. This is useful when setting things up for the first time because
# different LMS systems have different parameters
$debug_lti_parameters = 1;
# To get more information on passing grades back to the LMS enmass set debug_lti_grade_passback
# to one. And set the LTIMassUpdateInterval to 60 (seconds).
$debug_lti_grade_passback = 1;
# This will print into the apache log the success or failure of updating each user/set.
# Setting both debug_lti_parameters and debug_lti_grade_passback will cause the full request and
# response between the LMS and WW to be printed into apache error log file for each
# user/set update of the grade.
# The switches above can be set in course.conf to enable debugging for just one course.
# If you want even more information enable the debug facility in the webwork2.mojolicious.yml
# file. This will print extensive debugging messages for all courses.
# Note that for LTI 1.3 not all debug message will make it back to the HTML page due to the
# nature of how LTI 1.3 authentication works with automatic form submissions and redirects.
################################################################################################
# Authentication settings
################################################################################################
# This section enables LTI authentication. If a course uses LTI 1.1 (see $LTIVersion below),
# then the LTIAdvanced module will be used. If a course uses LTI 1.3 (see $LTIVersion below),
# the LTIAdvantage will be used. If you know a site will not use one or the other, it can be
# commented out. Failover to Basic_TheLastOption is necessary to authenticate with cookie keys.
$authen{user_module} = [
# { '*' => 'WeBWorK::Authen::LTIAdvantage' }, # first try LTI 1.3
{ '*' => 'WeBWorK::Authen::LTIAdvanced' }, # next try LTI 1.1
{ '*' => 'WeBWorK::Authen::Basic_TheLastOption' } # fallback authorization method
];
# Include configurations. You must uncomment at least one of the following. You may uncomment
# both if the site may be using both LTI 1.1 and 1.3 in different courses. After uncommenting
# the LTI_1_x line, you must copy the file authen_LTI_1_x.conf.dist to authen_LTI_1_x.conf and
# then edit that file to fill in the settings for LTI_1_x.
include('conf/authen_LTI_1_1.conf');
#include('conf/authen_LTI_1_3.conf');
# This is the default LTI version that will be used for the site. This must be 'v1p1' for LTI
# 1.1 authentication, 'v1p3' for LTI 1.3 authentication, or '' to disable LTI authentication.
# A course may override this setting to use the other version of LTI authentication or to
# disable LTI authentication for the course.
$LTIVersion = 'v1p1';
# WeBWorK will automatically create users when logging in via the LMS for the first time as long
# as the permission level is less than or equal to the permission level of this setting. For
# security reasons accounts with high permissions should not be auto created via LTI requests.
# Set this variable to 'professor' if you want professor accounts to be created automatically.
$LTIAccountCreationCutoff = 'ta';
# If the following flag is enabled then the user demographic data will be kept up to date with
# the data from the LMS. If a user's information changes in the LMS then it will change in
# WeBWorK. This means that any changes to the student data via WeBWorK will be overwritten the
# next time the student logs in.
$LMSManageUserData = 1;
# If the preferred module is an external authentication module but the sequence includes an
# internal authentication system, e.g., Basic_TheLastOption, then $external_auth (below) must be
# set to 1 (or true). If the value is 1, then, if the authentication sequence reaches
# Basic_TheLastOption, then WeBWorK::Login will display a screen directing the user back to an
# external authentication system. This prevents you from attempting to login in to WeBWorK
# directly.
$external_auth = 0;
# NOTE: If external authentication is disabled then you should probably also prevent students
# from changing their passwords (because they can't use them). To do this uncomment the
# following.
$permissionLevels{change_password} = 'ta';
################################################################################################
# Authorization system LTI: LMS Grade Passback
################################################################################################
# WeBWorK can automatically report grades back to your LMS. However the system is reasonably
# restrictive. When you create an LTI link in your LMS you can choose to have that LTI link
# have a grade associated to it. WeBWorK can report back a single percentage as the "grade" for
# that link. There are two modes under which this can occur.
# Single Course Grade Mode: $LTIGradeMode = 'course';
# In this mode you create a single Link/Assignment which points to your WeBWorK Course address.
# Students will receive a LMS grade associated to the Link/Assignment which is determined by
# their percentage total homework grade in WeBWorK. This total homework grade is the same as
# the grade that is reported on the grades page. You can change the weight of sets by altering
# the weight of the problems in the set.
# Individual Homework Grade Mode: $LTIGradeMode = 'homework';
# In this mode you create a single Link/Assignment for *every* homework set in the course. The
# address should be the address of that set in the Course. Students will receive a grade for
# each Link/Assignment which is determined by their percentage homework grade on the Set which
# the Link/Assignment points to. Students need to use the Link/Assignment in the LMS at least
# once to enable grade passback. In particular when working in this mode it is recommended that
# you only allow students to log in via the LMS.
# Note: For both of these modes only the grades are passed back. In particular nothing else
# about the Link/Assignment in the LMS and the homework set in WeBWorK is synchronized. In
# particular the total number of points/problems, the due dates, the open dates are not kept in
# sync automatically (yet).
# Site Administrator Note for LTI 1.3: This uses OAuth2 RSA private/public keys. These keys
# are automatically generated the first time that they are needed. It is recommended that new
# keys are generated on a regular basis. At this point, key rotation is not automatic for
# webwork2. Howevever, it is simple. Delete the files $webwork2_dir/DATA/lti_private_key.json
# and $webwork2_dir/DATA/lti_public_key.json. New keys will then be automatically generated the
# next time they are needed. Probably a good rule of thumb (for now) is to do this at the
# beginning of every term.
#$LTIGradeMode = '';
#$LTIGradeMode = 'course';
$LTIGradeMode = 'homework';
# When set this variable sends grades back to the LMS every time a user submits an answer. This
# keeps students grades up to date but can be a drain on the server.
$LTIGradeOnSubmit = 1;
# If CheckPrior is set to 1 then the current LMS grade will be checked first, and if the grade
# has not changed then the grade will not be updated. This is intended to reduce changes to LMS
# records when no real grade change occurred. It requires a 2 round process, first querying the
# current grade from the LMS and then when needed making the grade submission.
$LTICheckPrior = 1;
# The system periodically updates student grades on the LMS. This variable controls how often
# that happens. Set to -1 to disable.
$LTIMassUpdateInterval = 86400; #in seconds
################################################################################################
# Add an 'LTI' tab to the Course Configuration page
################################################################################################
# Uncomment any of the variables listed in the @LTIConfigVariables array below if you would like
# the Course Configuration page to have an LTI tab, granting the course instructor easy access
# to some of the LTI settings. You may leave some of the variables commented out if you would
# like to omit them from the options in this tab. If all variables are left commented out, then
# the tab will not be shown. Note that the default values for the variables that will be shown
# in the LTI tab are the values that are set above. Further note that only the variables listed
# in LTIConfigValues.config may be added to the LTI config tab. In addition, only the variables
# that pertain to the active LTI version will be shown in the tab.
@LTIConfigVariables = (
#'LTI{v1p1}{LMS_name}',
#'LTI{v1p3}{LMS_name}',
#'LTI{v1p1}{LMS_url}',
#'LTI{v1p3}{LMS_url}',
'external_auth',
'LTIGradeMode',
'LMSManageUserData',
'debug_lti_parameters'
);
1; # final line of the file to reassure perl that it was read properly.
and here is the authen_LTI_1_1.conf
with the secret stuff redacted:
#!perl
################################################################################################
# Configuration for using LTI 1.1 authentication.
# To enable this file, uncomment the appropriate lines in authen_LTI.conf
################################################################################################
# This is a string that is used to name the LMS for end users, for example in a message telling
# users to sign in through their LMS.
$LTI{v1p1}{LMS_name} = 'Canvas';
#$LTI{v1p1}{LMS_name} = 'Desire2Learn';
# This is a URL that should take users to a place they can log in to their LMS. It will use the
# text from LMS_name, but use LMS_url as the href. If LMS_url is empty or undefined, the
# text from LMS_name is used with no link.
$LTI{v1p1}{LMS_url} = 'https://canvas.svsu.edu/';
#$LTI{v1p1}{LMS_url} = 'https://myschool.edu/lms/';
################################################################################################
# LTI 1.1 preferred and fallback source of WW user_id
################################################################################################
# You MUST set what LTI field is used to set the WeBWorK user_id.
#
# The lis_person_sourcedid (or one of its variants) is formally an OPTIONAL field
# https://www.imsglobal.org/specs/ltiv1p1/implementation-guide
# but is relatively consistently available.
# However, some LMS systems, Blackboard in particular, do not send lis_person_sourcedid.
#
# The email address lis_person_contact_email_primary is often a more understandable value but
# may not exist.
#
# The LTI standard recommends providing a "user_id" value, which needs to be a unique identifier
# for each student in the LMS. The value is not expected to be people friendly by may be
# available when neither of the others are.
#
# You need to make sure to use a setting such that
# (1) usernames are unique and
# (2) the setting is as compatible as possible with the practices of the institutions that
# are being served in a site.
#
# If each course is only being used by students from a single institution and the value
# lis_person_sourcedid is unique across that population and matches the logon username at that
# institution, then lis_person_sourcedid is probably the better choice.
#
# On the other hand, if a site is serving a population from several institutions or if the
# lis_person_sourcedid is not necessarily unique across the population, then
# lis_person_contact_email_primary is the better choice.
#
# NOTE: As of WeBWorK 2.16 some setting MUST be made.
#
# If no setting is made, all LTI logins will fail and an error will be reported.
#
# See the comment further down on how to get WeBWorK 2.16 to behave similarly to
# the prior behavior.
# NOTE: Even if a course management system sends one of the common misspellings of
# "lis_person_sourcedid", i.e.,
# lis_person_sourced_id, lis_person_source_id, and lis_person_sourceid,
# one must nevertheless use the correct spelling "lis_person_sourcedid" here.
$LTI{v1p1}{preferred_source_of_username} = 'lis_person_contact_email_primary';
#$LTI{v1p1}{preferred_source_of_username} = 'lis_person_sourcedid';
# You can use any parameter the LMS will provide for the preferred_source_of_username, ex:
#$LTI{v1p1}{preferred_source_of_username} = 'user_id';
# You can also optionally provide a fallback_source_of_username which will only be used if WW is
# unable to determine a user_id using preferred_source_of_username.
# Warning: This can be dangerous, e.g. if the fallback were used for some student, and then on a
# later connection by that student the LMS provided a value for the preferred_source_of_username
# field, then the student will get a new WeBWorK account and lose access to their prior account
# and the prior scores will not be associated with their account any longer. Thus, this feature
# should be used carefully!
#$LTI{v1p1}{fallback_source_of_username} = '';
#$LTI{v1p1}{fallback_source_of_username} = 'lis_person_sourcedid';
# Stripping the domain when creating user_id from an email address:
# If you set either preferred_source_of_username or fallback_source_of_username to
# lis_person_contact_email_primary, and the email is being used as the WeBWorK user_id, then if
# the following setting is enabled, then WeBWorK will strip off the domain portion of the email
# (after the '@') and just use the username.
$LTI{v1p1}{strip_domain_from_email} = 1;
# This feature should not be used if emails could collide after the domain is removed.
# To get WeBWorK 2.16 to handle LTI authentication using an approach roughly the same as was
# used until WeBWorK 2.15, you can set one of the 2 pairs of settings:
#
# Option 1: Primary choice is lis_person_contact_email_primary, fallback to lis_person_sourcedid:
#$LTI{v1p1}{preferred_source_of_username} = 'lis_person_contact_email_primary';
#$LTI{v1p1}{fallback_source_of_username} = 'lis_person_sourcedid';
#
# Option 2: Primary choice is lis_person_sourcedid, fallback to lis_person_contact_email_primary:
#$LTI{v1p1}{preferred_source_of_username} = 'lis_person_sourcedid';
#$LTI{v1p1}{fallback_source_of_username} = 'lis_person_contact_email_primary';
# Depending on the username source, capitalization may vary between students, such as when using
# an email address to get the username. Turning this option on will make all usernames
# lowercase. Default is 0 (off).
$LTI{v1p1}{lowercase_username} = 0;
################################################################################################
# LTI 1.1 Preferred source of Student Id
################################################################################################
# If preferred_source_of_student_id is not set, WeBWorK will set student_id to be an empty
# string. You should use debug_lti_parameters in order to determine the value to use for your
# LMS.
# For example, in D2L, student_id is stored in OrgDefinedId and the corresponding LTI parameter
# is called ext_d2l_orgdefinedid.
$LTI{v1p1}{preferred_source_of_student_id} = "sis_login_id";
#$LTI{v1p1}{preferred_source_of_student_id} = 'ext_d2l_orgdefinedid';
################################################################################################
# LTI 1.1 Basic Authentication Parameters
################################################################################################
# This "shared secret" is entered in the LMS request form and needs to be match the entry here.
# This is used to validate all requests between the LMS and WeBWorK.
# You should choose your own secret word for security and should treat it like a password.
$LTI{v1p1}{BasicConsumerSecret} = "redacted"; #This must be set
# The purpose of the LTI nonces is to prevent man-in-the-middle attacks. The NonceLifeTime (in
# seconds) must be short enough to prevent at least casual man-in-the-middle attacks but long
# enough to accommodate normal server and networking delays (and perhaps non-synchronization of
# server time clocks).
$LTI{v1p1}{NonceLifeTime} = 60; # in seconds
# This allows you to override the URL that Oauth will use to validate the authentication. This
# is important if you have some sort of setup (e.g. load distributing) where the path in the LMS
# does not match the path that ends up in the webwork page.
#$LTI{v1p1}{OverrideSiteURL} = '';
# This is like $LTI{v1p1}{OverrideSiteURL}, except that you only declare the protocol and domain
# to replace and leave the rest of a URL alone. If somehow both are set in the config chain,
# $LTI{v1p1}{OverrideSiteURL} is used, without being modified by the below.
#$LTI{v1p1}{OverrideSiteProtocolDomain} = 'https://canvas.svsu.edu';
#$LTI{v1p1}{OverrideSiteProtocolDomain} = 'https://vmwebwork42.myschool.edu';
################################################################################################
# LTI 1.1 LMS Roles Mapped to WeBWorK Roles
################################################################################################
# You may need to customize this hash to take into account the roles that are used in your LMS.
# Set the debug_lti_parameters flag to see what roles are being reported to WeBWorK by your LMS.
$LTI{v1p1}{LMSrolesToWeBWorKroles} = {
'librarian' => 'guest',
'observer' => 'guest',
'visitor' => 'guest',
'Guest' => 'guest',
'Designer' => 'professor',
'instructor' => 'professor',
'Instructor' => 'professor',
'Faculty' => 'professor',
'Teacher' => 'professor',
'Student' => 'student',
'Learner' => 'student',
'student' => 'student',
'AI/TA' => 'ta',
'TA' => 'ta',
'Teaching Assistant' => 'ta',
'Teaching Assistant (TA)' => 'ta',
'Non-editing teacher' => 'ta',
'Grader' => 'ta',
};
################################################################################################
# Local routine to modify users
################################################################################################
# When users are added to the system WeBWorK will do its best to fill out user information.
# However, institutions can add code to the following routine to set fields not normally set by
# WeBWorK. E.G. The student ID field.
#$LTI{v1p1}{modify_user} = sub {
# The self object from LTIAdvanced.pm
#my $self = shift;
# The user object to be modified
#my $user = shift;
#my $r = $self->{r};
#my @course_id = split / /, $r->param("context_title");
#$user->{"section"} = $course_id[2];
#};
# # The self object from LTIAdvanced.pm
# my $self = shift;
# # The user object to be modified
# my $user = shift;
#
# # Parse context_id for additional information. E.G.
# my @course_id = split /-/, $self->{context_id};
# $user->{section} = $course_id[4];
#};
################################################################################################
# Local routine to modify user sets
################################################################################################
# When users are added to the system they are also assigned all visible sets This routine can be
# used to modify the sets before they are assigned. E.G. extend due dates based off the number
# of problems students have to do
#$LTI{v1p1}{modify_user_set} = sub {
# # The self object from LTIAdvanced.pm
# my $self = shift;
# my $globalSet = shift;
# # The userSet object to be modified
# my $userSet = shift;
#
# my $numberOfSetsAssigned = $self->{numberOfSetsAssigned};
# my $daysPerSetMakeup = 2;
# my $reasonableNumberOfDays = $numberOfSetsAssigned*$daysPerSetMakeup + 1;
# if ($reasonableNumberOfDays < 2) { $reasonableNumberOfDays = 2; }
# my $niceDueTime = $globalSet->due_date + $reasonableNumberOfDays * 86400;
# my $niceAnswerTime = $niceDueTime + 600;
#
# $userSet->due_date($niceDueTime);
# $userSet->answer_date($niceAnswerTime);
#};
# Do not change this.
$LTI{v1p1}{grader} = 'WeBWorK::Authen::LTIAdvanced::SubmitGrade';
1; # final line of the file to reassure perl that it was read properly.
Anybody has any idea what am I doing wrong?
Thank you!