WeBWorK Main Forum

Restrict LTI access from Moodle

Restrict LTI access from Moodle

by F. Heiderich -
Number of replies: 1
Our Moodle administrators do not allow professors to configure arbitrary LTI tools for privacy reasons (to prevent that personal data is shared with third parties), but only allow them to use so-called "preconfigured tools" (a Moodle term for mostly configured LTI activities, which allow to pass additional parameters depending on each activity).

I see two ways to use WeBWorKs LTI interface under this restriction:

1) Have one "preconfigured tool" for each WeBWorK course and disallow professors to configure other LTI tools. The disadvantage is that the Moodle administrators have to set them up individually and that they show up for all the Moodle users. This way some professors may accidentally add the predefined WeBWorK activities to their Moodle courses and students may accidentally enroll in these WeBWorK courses. This would be possible without any changed in WeBWorK, but we would like to avoid this.

2) One may have only one "preconfigured tool", which would contain a generic URL such as


and the LTI secret. We would like to pass the WeBWorK course name as a parameter to WeBWorK. These parameters can be different for each activity that uses this "predefined tool". This way professors would only need to provide their WeBWorK course name as a parameter for the preconfigured tool in Moodle. Moodle would then call WeBWorK using a URL such as


instead of


or pass the pair course=mycourse using a POST request (I do not know whether a GET or POST request is generated by Moodle). Is something like this already possible with WeBWorKs LTI interface? If not, what do you thing about such an implementation? It it feasible?

One might also want to restrict LTI access to the WeBWorK server on a per-course level to prevent WeBWorK courses being accessed from courses in the LMS that are not meant to access them. Currently it seems that the LTI secret is enough to access a WeBWorK server. So if you share the LTI secret with professor A who reads course A to set up an LTI connection in the LMS, he may as well set up a LTI connection to course B on the same WeBWorK server. Is there a way to prevent this? Would it be easy to add course specific passwords in WeBWorK to restrict the LTI access? Or could the LTI secret be defined on a per-course level?
In reply to F. Heiderich

Re: Restrict LTI access from Moodle

by Danny Glin -
Method 2 already works with Moodle. When your administrators set up the preconfigured tool, they enter a base URL for the tool (see the attached screenshot). Any URL which starts with that base will automatically use the settings for that tool.

It would look something like this: the administrator sets the base URL to https://webwork.school.edu/webwork2. The instructor then sets up a link to the external tool using https://webwork.school.edu/webwork2/course_name (or directly to the assignment if you are using the grade passback per assignment). Because the first part of the URL matches the base URL, it automatically inherits the settings for that tool (particularly the shared secret).

Your concern at the bottom is a valid one. The way the WeBWorK code is written right now, if LTI is enabled server-wide, then the shared secret is enough to get you access to any course. One security feature that is in place is the ability to limit the automatic creation of permissioned accounts via LTI. By default new accounts are only created up to the role of TA, so someone linking to the wrong course wouldn't be able to create a professor account for themselves.

I believe that all of the LTI configuration (enabling LTI and/or setting the shared secret) can be done at the course level. You can put the configuration items in course.conf for an individual course. There are two approaches to this:
  1. Set everything up in the system-wide configuration file (in the /opt/webwork/webwork2/conf directory), and then override it on a course-by-course basis as necessary using course.conf. This allows you to have it set up once for the whole server, but means that by default things will be enabled for all courses.
  2. Don't enable LTI globally. Instead paste the entire configuration into course.conf. The benefit is that you can only have LTI enabled in specific courses, but it means having to maintain a separate configuration for each course.

Attachment Screen_Shot_2017-03-31_at_10.10.57_AM.png