Difference between revisions of "LTI-Basic Authentication"

From WeBWorK_wiki
Jump to navigation Jump to search
m
 
(10 intermediate revisions by 3 users not shown)
Line 1: Line 1:
  +
  +
{{Historical}}
  +
  +
=== This is a deprecated mechanism ===
  +
  +
'''WARNING''' This old option for LTI authentication is no longer being maintained.
  +
  +
You probably should look at [[LTI-Advanced_Authentication]] and not at this page.
  +
  +
=== Background ===
   
 
The Learning Tools Interoperability (LTI) protocols provide a means to interface
 
The Learning Tools Interoperability (LTI) protocols provide a means to interface
Line 23: Line 33:
 
The perl module WeBWorK::Authen::LTIBasic and instructions for additions
 
The perl module WeBWorK::Authen::LTIBasic and instructions for additions
 
and modifications to other WeBWorK modules and configuration files
 
and modifications to other WeBWorK modules and configuration files
will be posted on the MAA WeBWorK site by the end of May.
+
are available from the MAA's WeBWorK SVN site and from www.github.com;
  +
see below for details..
   
 
If your institution uses an LMS that has support for Basic LTI (i.e., LTI 1.0)
 
If your institution uses an LMS that has support for Basic LTI (i.e., LTI 1.0)
Line 34: Line 44:
 
=== Obtaining the LTI Authentication package ===
 
=== Obtaining the LTI Authentication package ===
   
The package is, at this time, not in the trunk distribution.
+
The package is, at this time, not in the trunk distribution, although
Instead, the package may be obtained either from the
+
that may change later this summer (2012).
  +
Presently, the package may be obtained either from the
 
SVN [system]/branches/wheeler/webwork2 branch or from
 
SVN [system]/branches/wheeler/webwork2 branch or from
the github http://www.github.com/wheeler/webwork2.
+
the github http://www.github.com/whwheeler/webwork2.
   
There are six files in the package:
+
There are nine files in the package:
   
webwork2/lib/global.conf.dist
+
webwork2/conf/global.conf.dist
 
webwork2/lib/WeBWorK/Authen.pm
 
webwork2/lib/WeBWorK/Authen.pm
 
webwork2/lib/WeBWorK/Authen/LTIBasic.pm
 
webwork2/lib/WeBWorK/Authen/LTIBasic.pm
 
webwork2/lib/WeBWorK/Authen/Basic_TheLastOption.pm
 
webwork2/lib/WeBWorK/Authen/Basic_TheLastOption.pm
  +
webwork2/lib/WeBWorK/Authz.pm
 
webwork2/lib/WeBWorK/DB.pm
 
webwork2/lib/WeBWorK/DB.pm
 
webwork2/lib/WeBWorK/ContentGenerator/Login.pm
 
webwork2/lib/WeBWorK/ContentGenerator/Login.pm
  +
webwork2/lib/WeBWorK/ContentGenerator/Logout.pm
  +
webwork2/bin/ww_purge_old_nonces
   
 
=== Installing the LTI Authentication package ===
 
=== Installing the LTI Authentication package ===
   
First, one must install the Perl module Net::oauth , which is available from CPAN.
+
First, one must install the Perl module Net::OAuth , which is available from CPAN.
 
Depending on one's installation, one may also have to install several prerequisites
 
Depending on one's installation, one may also have to install several prerequisites
of Net::oauth.
+
of Net::OAuth.
   
The changes to Authen.pm are significant. They enable Authen
+
The changes to Authen.pm are significant, but they are backwards compatible. The changes enable Authen
   
 
to use an array of authentication hashes so that Authen
 
to use an array of authentication hashes so that Authen
Line 64: Line 77:
   
 
(Heretofore, using the Key database was the only method for session management.
 
(Heretofore, using the Key database was the only method for session management.
But that requires obtaining a write lock for the Keys table, which can be problematical
+
But that requires obtaining a write lock for the Keys table for every request, which can be problematical
 
under heavy loads.)
 
under heavy loads.)
   
 
The changes to global.conf.dist configure
 
The changes to global.conf.dist configure
 
the LIT Basic environment,
 
the LIT Basic environment,
the sequence of Authentication modules to be tried, and
+
the sequence of Authentication modules to be tried,
  +
whether to require absolutely an external authentication
  +
or to permit password authentication,and
 
the type of session management.
 
the type of session management.
   
Line 76: Line 89:
 
The exception arises from the incompatibility between the roles
 
The exception arises from the incompatibility between the roles
 
supported by WeBWorK and the roles that may be passed from the
 
supported by WeBWorK and the roles that may be passed from the
local Course Management System.
+
local Course Management System. The LTIBasic module does require
+
that the CMS provide at least one of the two parameters
   
  +
lis_person_sourcedid (or one of its spelling variants
  +
lis_person_sourced_id, lis_person_source_id, lis_person_sourceid) and
  +
  +
lis_person_contact_email_primary
  +
  +
in order to construct the WeBWorK username.
  +
 
The change to DB.pm is a minor change to enable WeBWorK to write "nonces" to the Key database.
 
The change to DB.pm is a minor change to enable WeBWorK to write "nonces" to the Key database.
   
The change to Login.pm is to suppress the Remember option for an enduring non-session cookie
 
  +
The changes to Login.pm
if a site is using session cookies rather than the Key database for session management.
 
  +
enable it to present one of three possible screens:
  +
  +
(i) present a message that one must use an external authentication system,
  +
(ii) present the traditional password authentication screen but without
  +
the "Remember Me" option if session_cookies are used for session management, and
  +
(iii) present the traditional password authentication screen with the
  +
"Remember Me" option if the Key database is used for session management
  +
(heretofore, the only option).
  +
  +
The changes to Logout.pm enable it to present a screen with
  +
an appropriate message and, if, password authentication
  +
is an option for the site, also present a "Login Again"
  +
button that should lead to the password authentication
  +
screen of Login.pm
   
 
=== Configuring the LTI authentication package ===
 
=== Configuring the LTI authentication package ===
Line 108: Line 141:
 
$LTIBasicConsumerSecret = "webworkLTIB";
 
$LTIBasicConsumerSecret = "webworkLTIB";
   
For instructions on configuring the Learning Management System's LTI tool,
 
  +
These parameters could be set in global.conf for the WeBWorK server as a whole
  +
and then overridden in individual course.conf files.
  +
  +
For instructions on configuring the CMS/Learning Management System's LTI tool,
 
please see the example below in the section
 
please see the example below in the section
 
"[[Instructions for using LTI Basic to connect to the IU Bloomington WebworkLTIBasic site]]".
 
"[[Instructions for using LTI Basic to connect to the IU Bloomington WebworkLTIBasic site]]".
Line 115: Line 151:
   
 
In order for an LMS to use LTI Basic to authenticate to WeBWorK, the LMS
 
In order for an LMS to use LTI Basic to authenticate to WeBWorK, the LMS
must pass the lis_person_sourcedid or the lis_person_contact_email_primary parameters.
+
must pass the lis_person_sourcedid (or one of its spelling variants mentioned above)
  +
and/or the lis_person_contact_email_primary parameters.
  +
If only one of them is passed, then its value will be used for
  +
a user's WeBWorK username. If both are passed, then which one
  +
will be used for the username is determined by the value
  +
of the course environment variable $preferred_source_of_username.
  +
If that variable is undefined and both parameters are present,
  +
then the lis_person_contact_email_primary parameter will be used
  +
for the username.
  +
  +
If the CMS/LMS passes both of these parameters so that the WeBWorK administrator/instructor
  +
does have the choice as to which one to use for the username, then the
  +
decision may be made as follows. The primary concerns are (i) the necessity for the uniqueness
  +
of the username across the entire population of possible site users and (ii)
  +
compatibility with the institution's practices regarding usernames.
  +
If the site will only be used by users from one institution and lis_person_sourcedid
  +
passes the institution's usernames, then using lis_person_sourcedid will
  +
maximize compatibility with the institution and facilitate returning
  +
information to the CMS/LMS. On the other hand, if the site will
  +
be used by users from different institutions which assign usernames
  +
independently of one another, then lis_person_contact_email_primary
  +
should be used as the source of the WeBWorK username.
 
If the lis_person_sourcedid parameter is present, then its value is used as
 
If the lis_person_sourcedid parameter is present, then its value is used as
 
the WeBWorK username. Otherwise, the value of the lis_person_contact_email_primary
 
the WeBWorK username. Otherwise, the value of the lis_person_contact_email_primary
 
is used as the username.
 
is used as the username.
  +
  +
In order to identify the WeBWorK "section", the LMS's LTI should be configured
  +
to pass an optional "section=xxxx" parameter. Because "section" is not
  +
one of the official LTI parameters, the CMS/LMS will pass it in the form
  +
"custom_section". BUT in configuring the CMS/LMS LTI tool, one usually
  +
just has to specify an optional "section=xxxx" parameter and
  +
the LTI tool will insert the "custom_" prefix.
  +
  +
Similarly, if there is to be a recitation value that will be assigned
  +
to all of the students in an LMS section site, then that value may be passed
  +
to WeBWorK by passing an optional "recitation=xxxx". As with the section
  +
parameter, the CMS/LMS LTI tool should insert a "custom_" prefix so that the
  +
parameter will actually be passed as "custom_recitation=xxxx".
  +
  +
One should never oneself insert the "custom_" prefix unless
  +
the local CMS/LMS administration tells one to do so.
  +
  +
In addition, an optional subroutine for analyzing the "context_id" and setting
  +
WeBWorK parameters may be declared for the installation as a whole (in global.conf)
  +
or for an individual site (in the site's course.conf file). Two examples
  +
of such subroutines may be found in the comments in global.conf.dist.
   
 
According to the IMS LTI 1.0 specifications, when a user authenticates via LTI
 
According to the IMS LTI 1.0 specifications, when a user authenticates via LTI
Line 135: Line 192:
 
Management System are coarser than the roles used by the Learning Tool.
 
Management System are coarser than the roles used by the Learning Tool.
 
For example, the default implementation of LTI in the Sakai LMS passes
 
For example, the default implementation of LTI in the Sakai LMS passes
only two roles, "student" and "teacher" regardless of the roles that
+
only two roles, "Learner" and "Instructor" regardless of the roles that
 
the Sakai LMS uses internally. Accordingly, the Sakai roles of
 
the Sakai LMS uses internally. Accordingly, the Sakai roles of
 
visitor, guest, and student are all collapsed in the LTI to just the role
 
visitor, guest, and student are all collapsed in the LTI to just the role
of student. The Sakai roles of TA, Librarian, Assistant, Teacher, and
+
of Learner. The Sakai roles of TA, Librarian, Assistant, Teacher, and
(System) Administrator are all collapsed to the single role of teacher.
+
(System) Administrator are all collapsed to the single role of Instructor.
 
This is obviously unsatisfactory for WeBWorK. For instance, at Indiana University,
 
This is obviously unsatisfactory for WeBWorK. For instance, at Indiana University,
many more than 100 and perhaps as many as 200 of the staff of the University
+
perhaps 100-200 of the staff of the University's
 
Information Technology Service across the eight campuses throughout the state
 
Information Technology Service across the eight campuses throughout the state
 
have Administrator privileges in the University's Sakai LMS, some of whom
 
have Administrator privileges in the University's Sakai LMS, some of whom
are students who help staff Help Desks. If the LTI specification were followed
+
may be students who help staff Help Desks. If the LTI specification were followed
strictly, then all of these staff members would have Teacher privileges
+
strictly, then all of these staff members would have Instructor (= WeBWorK-professor) privileges
 
in all of the WeBWorK sites. This is untenable.
 
in all of the WeBWorK sites. This is untenable.
   
Line 151: Line 208:
   
 
If a previously unknown
 
If a previously unknown
user authenticates via LTI, that person is assigned a role of "student"
+
user authenticates via LTI and the WeBWorK role/permission level that
in WeBWorK and of the information transmitted with the authentication,
+
corresponds to the role(s) that the LMS passes is less than or equal
e.g., first name, last name, username, id, email address, etc., is used
+
to the WeBWorK "ta" level, then that person is assigned that corresponding permission level
to set the corresponding data fields in WeBWorK.
+
in WeBWorK, and the information transmitted with the authentication,
  +
e.g., first name, last name, id, email address, etc., is used
  +
to set the corresponding data fields in WeBWorK.
  +
  +
If a previously unknown user authenticates via LTI and the WeBWorK role/permission
  +
level that corresponds to the role(s) that the LMS passes is greater
  +
than the WeBWorK "ta" level, then the authentication is rejected with
  +
an error message to the effect that the user has not previously been
  +
approved to have that permission level.
   
If a known user who has a WeBWorK role of student or less authenticates
+
If a known user authenticates
 
via LTI, then the accompanying demographic information, e.g., first name, last name,
 
via LTI, then the accompanying demographic information, e.g., first name, last name,
id, email address (but not username) is compared to the existing
+
id, email address (but not username of course) is compared to the existing
 
WeBWorK data, and if there are any discrepancies, then the new data
 
WeBWorK data, and if there are any discrepancies, then the new data
replaces the old data.
+
replaces the old data. If the existing WeBWorK permission level is greater
  +
than that of a student, then it is not change. If the WeBWorK permission
  +
level is greater than that of a student and the existing section is not "Admin",
  +
then it is changed to "Admin".
   
If a known user who has a WeBWorK role greater than that of a student
 
  +
(The mapping of LMS roles to WeBworK roles/permission levels is specified
authenticates via LTI, then the accompanying demographic information
 
  +
for an installation in the global.conf file and may be further modified
is ignored.
 
  +
in a site's course.conf file.)
   
 
Consequently, it is imperative that users who are to have WeBWorK roles
 
Consequently, it is imperative that users who are to have WeBWorK roles
 
higher than that of students, e.g., proctors, TA's, instructors, etc.,
 
higher than that of students, e.g., proctors, TA's, instructors, etc.,
must be installed by the existing WeBWorK facilities. Ideally,
+
be installed by the existing WeBWorK facilities rather than relying on the
  +
roles passed by the LMS. Ideally,
 
this should happen before the individual first authenticates
 
this should happen before the individual first authenticates
 
via LTI. But if a privileged user, e.g., a TA, does happen
 
via LTI. But if a privileged user, e.g., a TA, does happen
Line 176: Line 233:
   
   
In addition, hen a wnew user first authenticates to WeBWorK via LTI, the LTIBasic
+
In addition, when a new user first authenticates to WeBWorK via LTI, the LTIBasic
module will, in addition to adding the user as a student, will
+
module, in addition to adding the user, will
 
(attempt to) assign versions of all existing sets (both visible
 
(attempt to) assign versions of all existing sets (both visible
 
and invisible, both homework and tests/quizzes) to the new user.
 
and invisible, both homework and tests/quizzes) to the new user.
Furthermore, if the configuration variable
+
Furthermore, if the course environment variable
   
 
$adjustDueDatesForLateAdds = "1";
 
$adjustDueDatesForLateAdds = "1";
Line 186: Line 243:
 
then LTIBasic will compute the number of assigned
 
then LTIBasic will compute the number of assigned
 
problems in all of the closed sets, i.e., those whose due dates
 
problems in all of the closed sets, i.e., those whose due dates
have passes, will divide that total by the value of the
+
have passed, will divide that total by the value of the
 
configuration variable
 
configuration variable
   
Line 200: Line 257:
 
that are assigned to students who add the course
 
that are assigned to students who add the course
 
after the first quiz or test.
 
after the first quiz or test.
  +
  +
=== Notes ===
  +
  +
The LTI parameter "consumer_key" is a required LTI parameter but
  +
it is not as directly involved in the LTI OAuth authentication
  +
as the name "key" would suggest and as is the consumer_secret.
  +
The purpose of the "consumer_key" is to transmit to the Learning Tool
  +
a parameter that can be used to retrieve information, perhaps from a database
  +
using the consumer_key as the database_key, that may be relevant
  +
to the authentication process, e.g., retrieving the consumer_secret from a database.
  +
  +
For instance, if one were hosting a WeBWork site that supported
  +
users from several institutions, then one might assign each
  +
institution a unique consumer_key and consumer_secret and
  +
then use the consumer_key transmitted by the LMS (i) to retrieve
  +
that consumer_secret that is part of the OAuth authentication
  +
from that institution and (ii) to customize the appearance
  +
of the WeBWorK screen.
  +
  +
The LTI parameter oauth_nonce in combination with the oauth_timestamp is used by the OAuth authentication
  +
protocol as a defense against man-in-the-middle attacks. Each nonce
  +
that is received must be stored temporarily in the Key database in
  +
order to implement this man-in-the-middle defense. Because each
  +
LTIBasic login uses a unique nonce, the number of nonces in the Key database
  +
can grow quickly. A program ww_purge_old_nonces is provided in the
  +
webwork2/bin directory to purge these nonces. This program should be run
  +
daily via a cron job.
   
   
Line 213: Line 297:
 
Consumer key: webwork
 
Consumer key: webwork
   
Shared Secret: webworkLTIB
+
Shared Secret: WeBWorKLTIB
   
 
Also, the LTI Basic tool must send a username and/or an email address,
 
Also, the LTI Basic tool must send a username and/or an email address,
Line 221: Line 305:
 
lis_person_contact_email_primary=username@school.edu
 
lis_person_contact_email_primary=username@school.edu
   
(lis_person_sourceid and lis_person_contact_email_primary
+
(lis_person_sourcedid and lis_person_contact_email_primary
 
are part of the LTI specification, so it should be possible
 
are part of the LTI specification, so it should be possible
 
fo the LTI Basic interface to send them, but some
 
fo the LTI Basic interface to send them, but some
Line 227: Line 311:
 
some tweaking.)
 
some tweaking.)
   
The WeBWorK::Authen::LTIBasic module
 
  +
The WebworkLTIBasic site is configured to use the lis_person_contact_email_primary
will use the value of the lis_person_sourceid parameter as the WeBWorK username
 
  +
parameter, if it is present, as the WeBWorK username, in order to guarantee that usernames are unique.
if it is present. If the lis_person_sourceid parameter is undefined,
+
If the lis_person_contact_email_primary parameter is undefined,
then the module will use the value of the lis_person_contact_email_primary parameter
+
then the module will use the value of the lis_person_sourcedid parameter
as the WeBWorK username.
+
as the WeBWorK username. (As mentioned above, WeBWorK will accept
  +
several variations on spelling of the lis_person_sourcedid parameter.)
  +
  +
In order to be added to the WebworkLTIBasic site, the role transmitted
  +
by the LMS should be that of a student or a Learner. For details,
  +
please see the discussion of roles above.
   
 
On the first occasion on which a user authenticates to a WeBWorK site
 
On the first occasion on which a user authenticates to a WeBWorK site
Line 292: Line 376:
 
lis_person_sourcedid parameter and/or the
 
lis_person_sourcedid parameter and/or the
 
lis_person_contact_email_primary parameter.
 
lis_person_contact_email_primary parameter.
  +
One can also check what role is being transmitted.
   
 
=== Note: Use Firefox 3.5 or later for the WebworkLTIBasic site ===
 
=== Note: Use Firefox 3.5 or later for the WebworkLTIBasic site ===
Line 297: Line 382:
 
We use MathML
 
We use MathML
 
for mathematics provided that the browser is Firefox 3.5 or later.
 
for mathematics provided that the browser is Firefox 3.5 or later.
  +
(We use a custom LaTeX to MathML converter.)
   
 
Internet Explorer will fail on our WeBWorK problems, because we use
 
Internet Explorer will fail on our WeBWorK problems, because we use
Line 307: Line 393:
   
 
=== Please send problem reports to wheeler@indiana.edu ===
 
=== Please send problem reports to wheeler@indiana.edu ===
  +
  +
[[Category:Authentication]]

Latest revision as of 16:28, 31 January 2022

This article has been retained as a historical document. It is not up-to-date and the formatting may be lacking. Use the information herein with caution.

This is a deprecated mechanism

WARNING This old option for LTI authentication is no longer being maintained.

You probably should look at LTI-Advanced_Authentication and not at this page.

Background

The Learning Tools Interoperability (LTI) protocols provide a means to interface a Learning Tool, e.g., WeBWorK, with a Learning Management System (LMS), e.g., Angel, Blackboard, Canvas, Moodle, and Sakai. The LTI protocols are defined by the IMS Global Learning Consortium (Learning Tools Interoperability home page).

Basic LTI (i.e., LTI 1.0) provides a protocol for authenticating from an LMS to a Learning Tool (LT) and passing information such as names, email addresses, and roles (e.g., Instructor, Learner) from the LMS to the LT. Basic LTI is roughly comparable to the initial Moodle-WeBWorK integration at the University of Rochester. Basic LTI is presently supported by most LMS's (see the table at the bottom of the page [http://www.imsglobal.org/cc/statuschart.cfm IMS Interoperability Conformance Certification Status]).

LTI 1.1 (full LTI) will (eventually) provide additional protocols for returning data from a LT to the LMS.

The WeBWorK group at Indiana University Bloomington began developing an LTI-Basic package for WeBWorK in the summer of 2011. We have used LTI-Basic for authentication from the Sakai LMS to WeBWorK since September, 2011. The perl module WeBWorK::Authen::LTIBasic and instructions for additions and modifications to other WeBWorK modules and configuration files are available from the MAA's WeBWorK SVN site and from www.github.com; see below for details..

If your institution uses an LMS that has support for Basic LTI (i.e., LTI 1.0) and you would like to begin testing how to use it to connect to WeBWorK, then we host a WeBWorK test site to which you may connect. Please skip to the "Instructions for using LTI Basic to connect to the IU Bloomington WebworkLTIBasic site".

Obtaining, Installing, Configuring, and Using the LTI Authentication package

Obtaining the LTI Authentication package

The package is, at this time, not in the trunk distribution, although that may change later this summer (2012). Presently, the package may be obtained either from the SVN [system]/branches/wheeler/webwork2 branch or from the github http://www.github.com/whwheeler/webwork2.

There are nine files in the package:

 webwork2/conf/global.conf.dist
 webwork2/lib/WeBWorK/Authen.pm
 webwork2/lib/WeBWorK/Authen/LTIBasic.pm
 webwork2/lib/WeBWorK/Authen/Basic_TheLastOption.pm
 webwork2/lib/WeBWorK/Authz.pm
 webwork2/lib/WeBWorK/DB.pm
 webwork2/lib/WeBWorK/ContentGenerator/Login.pm
 webwork2/lib/WeBWorK/ContentGenerator/Logout.pm
 webwork2/bin/ww_purge_old_nonces

Installing the LTI Authentication package

First, one must install the Perl module Net::OAuth , which is available from CPAN. Depending on one's installation, one may also have to install several prerequisites of Net::OAuth.

The changes to Authen.pm are significant, but they are backwards compatible. The changes enable Authen

 to use an array of authentication hashes so that Authen
 can try several authentication methods in sequence, e.g.,
 LIT Basic, then an institution's local Central Authentication System, and
 then just password authentication (provided by the Basic_TheLastOption.pm module), and
 to use either session_cookies or the Key database for session management.

(Heretofore, using the Key database was the only method for session management. But that requires obtaining a write lock for the Keys table for every request, which can be problematical under heavy loads.)

The changes to global.conf.dist configure

 the LIT Basic environment,
 the sequence of Authentication modules to be tried, 
 whether to require absolutely an external authentication
 or to permit password authentication,and
 the type of session management.

The LTIBasic.pm module implements the LTI 1.0 authentication protocol. It is compliant with the IMS specification with one exception. The exception arises from the incompatibility between the roles supported by WeBWorK and the roles that may be passed from the local Course Management System. The LTIBasic module does require that the CMS provide at least one of the two parameters

 lis_person_sourcedid (or one of its spelling variants
 lis_person_sourced_id, lis_person_source_id, lis_person_sourceid) and
 lis_person_contact_email_primary

in order to construct the WeBWorK username.

The change to DB.pm is a minor change to enable WeBWorK to write "nonces" to the Key database.

The changes to Login.pm enable it to present one of three possible screens:

 (i) present a message that one must use an external authentication system,
 (ii) present the traditional password authentication screen but without
 the "Remember Me" option if session_cookies are used for session management, and
 (iii) present the traditional password authentication screen with the
 "Remember Me" option if the Key database is used for session management
  (heretofore, the only option).

The changes to Logout.pm enable it to present a screen with an appropriate message and, if, password authentication is an option for the site, also present a "Login Again" button that should lead to the password authentication screen of Login.pm

Configuring the LTI authentication package

Configuring the LTI authentication package consists of modifying an installations global.conf file and the course.conf file of each site that will use LTI authentication.

The new LTI parameters have been grouped together at the bottom of the global.conf.dist file.

One should copy all of this section to the end of one's global.conf file. Then one should go through the section and select/set appropriate values for the parameters.

Two of the parameters must be set in each site's course.conf file. These parameters are

 #$LTIBasicToThisSiteURL = "URL to site", e.g.,
 $LTIBasicToThisSiteURL = "https://localserver/webwork2/DemoCourse";

and

 #$LTIBasicConsumerSecret = "Consumer Secret - shared with the Course Management Site", e.g.,
 $LTIBasicConsumerSecret = "webworkLTIB";

These parameters could be set in global.conf for the WeBWorK server as a whole and then overridden in individual course.conf files.

For instructions on configuring the CMS/Learning Management System's LTI tool, please see the example below in the section "Instructions for using LTI Basic to connect to the IU Bloomington WebworkLTIBasic site".

Using the LTI Authentication package

In order for an LMS to use LTI Basic to authenticate to WeBWorK, the LMS must pass the lis_person_sourcedid (or one of its spelling variants mentioned above) and/or the lis_person_contact_email_primary parameters. If only one of them is passed, then its value will be used for a user's WeBWorK username. If both are passed, then which one will be used for the username is determined by the value of the course environment variable $preferred_source_of_username. If that variable is undefined and both parameters are present, then the lis_person_contact_email_primary parameter will be used for the username.

If the CMS/LMS passes both of these parameters so that the WeBWorK administrator/instructor does have the choice as to which one to use for the username, then the decision may be made as follows. The primary concerns are (i) the necessity for the uniqueness of the username across the entire population of possible site users and (ii) compatibility with the institution's practices regarding usernames. If the site will only be used by users from one institution and lis_person_sourcedid passes the institution's usernames, then using lis_person_sourcedid will maximize compatibility with the institution and facilitate returning information to the CMS/LMS. On the other hand, if the site will be used by users from different institutions which assign usernames independently of one another, then lis_person_contact_email_primary should be used as the source of the WeBWorK username. If the lis_person_sourcedid parameter is present, then its value is used as the WeBWorK username. Otherwise, the value of the lis_person_contact_email_primary is used as the username.

In order to identify the WeBWorK "section", the LMS's LTI should be configured to pass an optional "section=xxxx" parameter. Because "section" is not one of the official LTI parameters, the CMS/LMS will pass it in the form "custom_section". BUT in configuring the CMS/LMS LTI tool, one usually just has to specify an optional "section=xxxx" parameter and the LTI tool will insert the "custom_" prefix.

Similarly, if there is to be a recitation value that will be assigned to all of the students in an LMS section site, then that value may be passed to WeBWorK by passing an optional "recitation=xxxx". As with the section parameter, the CMS/LMS LTI tool should insert a "custom_" prefix so that the parameter will actually be passed as "custom_recitation=xxxx".

One should never oneself insert the "custom_" prefix unless the local CMS/LMS administration tells one to do so.

In addition, an optional subroutine for analyzing the "context_id" and setting WeBWorK parameters may be declared for the installation as a whole (in global.conf) or for an individual site (in the site's course.conf file). Two examples of such subroutines may be found in the comments in global.conf.dist.

According to the IMS LTI 1.0 specifications, when a user authenticates via LTI from a Learning Management System (LMS) (e.g., Sakai, Moodle, and Blackboard) to a Learning Tool (LT) (e.g., WeBWorK), the Learning Tool is supposed to accept as valid all of the information that the Learning Management System passes to it. This includes demographic data, e.g., name, email address; custom information, e.g., section; and, most importantly, role information, e.g., student, guest, TA, librarian, teacher, administrator. If the user has not previously registered with the Learning Tool, then the Tool is supposed to accept the authentication from the Learning Management System as authorization to register the user with the Learning Tool with the role passed from the Learning Management System to the Learning Tool.

But this can cause significant problems if the roles passed by the Learning Management System are coarser than the roles used by the Learning Tool. For example, the default implementation of LTI in the Sakai LMS passes only two roles, "Learner" and "Instructor" regardless of the roles that the Sakai LMS uses internally. Accordingly, the Sakai roles of visitor, guest, and student are all collapsed in the LTI to just the role of Learner. The Sakai roles of TA, Librarian, Assistant, Teacher, and (System) Administrator are all collapsed to the single role of Instructor. This is obviously unsatisfactory for WeBWorK. For instance, at Indiana University, perhaps 100-200 of the staff of the University's Information Technology Service across the eight campuses throughout the state have Administrator privileges in the University's Sakai LMS, some of whom may be students who help staff Help Desks. If the LTI specification were followed strictly, then all of these staff members would have Instructor (= WeBWorK-professor) privileges in all of the WeBWorK sites. This is untenable.

Accordingly, the LTIBasic module proceeds as follows:

 If a previously unknown
 user authenticates via LTI and the WeBWorK role/permission level that
 corresponds to the role(s) that the LMS passes is less than or equal
 to the WeBWorK "ta" level, then that person is assigned that corresponding permission level
 in WeBWorK, and the information transmitted with the authentication,
 e.g., first name, last name, id, email address, etc., is used
 to set the corresponding data fields in WeBWorK.
 If a previously unknown user authenticates via LTI and the WeBWorK role/permission
 level that corresponds to the role(s) that the LMS passes is greater
 than the WeBWorK "ta" level, then the authentication is rejected with
 an error message to the effect that the user has not previously been
 approved to have that permission level.
 If a known user authenticates
 via LTI, then the accompanying demographic information, e.g., first name, last name,
 id, email address (but not username of course) is compared to the existing
 WeBWorK data, and if there are any discrepancies, then the new data
 replaces the old data.  If the existing WeBWorK permission level is greater
 than that of a student, then it is not change.  If the WeBWorK permission
 level is greater than that of a student and the existing section is not "Admin",
 then it is changed to "Admin".

(The mapping of LMS roles to WeBworK roles/permission levels is specified for an installation in the global.conf file and may be further modified in a site's course.conf file.)

Consequently, it is imperative that users who are to have WeBWorK roles higher than that of students, e.g., proctors, TA's, instructors, etc., be installed by the existing WeBWorK facilities rather than relying on the roles passed by the LMS. Ideally, this should happen before the individual first authenticates via LTI. But if a privileged user, e.g., a TA, does happen to authenticate via LTI before having been added via WeBWorK facilities, then the WeBWorK facilities for modifying users should be used to fix the user's permission, section, and other data.


In addition, when a new user first authenticates to WeBWorK via LTI, the LTIBasic module, in addition to adding the user, will (attempt to) assign versions of all existing sets (both visible and invisible, both homework and tests/quizzes) to the new user. Furthermore, if the course environment variable

 $adjustDueDatesForLateAdds = "1";

then LTIBasic will compute the number of assigned problems in all of the closed sets, i.e., those whose due dates have passed, will divide that total by the value of the configuration variable

 $reasonableProblemsPerDayMakeup = 15;

and extend all of the expired due dates by that number of days.

In practice, this is usually OK. But if any of the expired assignments were tests or quizzes, then this automatic extension may be unsatisfactory. The instructor should monitor the dates that are assigned to students who add the course after the first quiz or test.

Notes

The LTI parameter "consumer_key" is a required LTI parameter but it is not as directly involved in the LTI OAuth authentication as the name "key" would suggest and as is the consumer_secret. The purpose of the "consumer_key" is to transmit to the Learning Tool a parameter that can be used to retrieve information, perhaps from a database using the consumer_key as the database_key, that may be relevant to the authentication process, e.g., retrieving the consumer_secret from a database.

For instance, if one were hosting a WeBWork site that supported users from several institutions, then one might assign each institution a unique consumer_key and consumer_secret and then use the consumer_key transmitted by the LMS (i) to retrieve that consumer_secret that is part of the OAuth authentication from that institution and (ii) to customize the appearance of the WeBWorK screen.

The LTI parameter oauth_nonce in combination with the oauth_timestamp is used by the OAuth authentication protocol as a defense against man-in-the-middle attacks. Each nonce that is received must be stored temporarily in the Key database in order to implement this man-in-the-middle defense. Because each LTIBasic login uses a unique nonce, the number of nonces in the Key database can grow quickly. A program ww_purge_old_nonces is provided in the webwork2/bin directory to purge these nonces. This program should be run daily via a cron job.




Instructions for using LTI Basic to connect to the IU Bloomington WebworkLTIBasic site

Configure the LMS's LTI Basic tool with the following parameters:

 Domain/URL:  https://estudy11.iu.edu:8082/~estudy11/webwork2/WebworkLTIBasic
 Consumer key:  webwork
 Shared Secret:  WeBWorKLTIB

Also, the LTI Basic tool must send a username and/or an email address, in the form:

 lis_person_sourcedid=username
 lis_person_contact_email_primary=username@school.edu

(lis_person_sourcedid and lis_person_contact_email_primary are part of the LTI specification, so it should be possible fo the LTI Basic interface to send them, but some instances of LTI Basic interfaces (e.g., Canvas) require some tweaking.)

The WebworkLTIBasic site is configured to use the lis_person_contact_email_primary parameter, if it is present, as the WeBWorK username, in order to guarantee that usernames are unique. If the lis_person_contact_email_primary parameter is undefined, then the module will use the value of the lis_person_sourcedid parameter as the WeBWorK username. (As mentioned above, WeBWorK will accept several variations on spelling of the lis_person_sourcedid parameter.)

In order to be added to the WebworkLTIBasic site, the role transmitted by the LMS should be that of a student or a Learner. For details, please see the discussion of roles above.

On the first occasion on which a user authenticates to a WeBWorK site using LTIBasic, the WeBWorK::Authen::LTIBasic module will create the user record for the user and assign the user versions of all of the existing WeBWorK problem sets. For purposes of security, the user will be assigned a permission value of 0, regardless of the user's LMS role. This permission can subsequently be increased using the standard WeBWorK tools.

If one can use the LMS's LTI Basic tool in a debug mode that will show the parameters it is sending, then one can compare them to the following parameters that Sakai/Oncourse sends:


 BasicLTI Endpoint
 https://estudy11.iu.edu:8082/~estudy11/webwork2/WebworkLTIBasic
 BasicLTI Parameters:
 user_id=wheeler
 lis_person_name_full=William H. Wheeler
 context_id=a75a6608-3698-4b62-803d-063040fce113
 context_title=Math Tools Pages
 oauth_signature=cDU1GfReli3QDeprOJwWv23ukq0=
 oauth_nonce=468921706075144
 lti_message_type=basic-lti-launch-request
 resource_link_description=Linking to WeBWorK@IU
 resource_link_id=109f9125-c711-4151-8601-4567518aed82
 ext_sakai_serverid=esoncprd11
 roles=Instructor
 oauth_signature_method=HMAC-SHA1
 oauth_callback=about:blank
 lis_person_name_family=Wheeler
 lis_person_contact_email_primary=wheeler@indiana.edu
 context_label=Math Tools Pages
 basiclti_submit=Press to continue to external tool.
 lis_person_sourcedid=wheeler
 launch_presentation_locale=en_US
 ext_sakai_server=https://resources.oncourse.iu.edu
 ext_sakai_session=5757ec78346099f129bb771043d0d1d5134b16de4692e8a05332f7c7e79be50c24039d7b92e774cb
 oauth_timestamp=1331327382
 lis_person_name_given=William H.
 lti_version=LTI-1p0
 oauth_version=1.0
 oauth_consumer_key=webwork
 resource_link_title=WeBWorK LTI

Alternatively, in order to find out what parameters one's LTI Basic tool is sending, one may change the URL to

 https://estudy14.iu.edu:8082/~estudy14/oauthTest2.pl

One should get back a message that Oauth verification either succeeded or failed and then a list of the parameters that LTI Basic tool sent.

If the Oauth verification succeeded but one cannot connect to the WebworkLTIBasic site, then one should check whether the LTI Basic tool is sending the lis_person_sourcedid parameter and/or the lis_person_contact_email_primary parameter. One can also check what role is being transmitted.

Note: Use Firefox 3.5 or later for the WebworkLTIBasic site

We use MathML for mathematics provided that the browser is Firefox 3.5 or later. (We use a custom LaTeX to MathML converter.)

Internet Explorer will fail on our WeBWorK problems, because we use a mime type of XHTML + XML + SVG for WeBWorK problems.

With Safari and Chrome, the default WeBWorK display mode is "formatted text". (We'll be changing that this summer.)


Please send problem reports to wheeler@indiana.edu