WeBWorK Main Forum

LTI authentication allows any instructor into any course?

LTI authentication allows any instructor into any course?

by Michael Shulman -
Number of replies: 4
A colleague of mine discovered that with LTI authentication, any instructor who manages any LTI course can add themselves (and potentially their students) to any webwork course. They just follow the directions for creating a webwork tool-provider link, using the URL for that course rather than their own. (Then to get themselves in by clicking this link, they may have to switch to "student view".) That is, there is no verification of any linkage between the instructor of the LTI course and the instructor of the webwork course.

(Actually I only know that this works for Blackboard, but I assume other LTIs behave similarly.)

Is this intentional? It's not much of a security problem, as the LTI only creates student-level accounts; but I could imagine an instructor being unhappily surprised that colleagues could snoop on their webwork problem sets without permission. And I could also imagine it happening by accident, e.g. if someone creates their LTI link by copy-pasting from someone else's without thinking.

In reply to Michael Shulman

Re: LTI authentication allows any instructor into any course?

by Sean Fitzpatrick -
If this is the case, I think you're not using the default LTI configuration. In authen_LTI.conf there's a setting for account creation cutoff. By default, I think this is set to student.

An instructor can't use the LTI link unless they're already added in WebWork.
In reply to Sean Fitzpatrick

Re: LTI authentication allows any instructor into any course?

by Michael Gage -
I believe that Blackboard will attempt to add a Blackboard instructor to the webwork class as a professor. If they are not already entered into the webwork class (via the direct webwork interface) this will fail.

However any student coming from Blackboard and directed to a particular WeBWorK class will be added automatically. An instructor could possibly create a fake student in their class (if this is allowed by the Blackboard administrator ) and add the student to WeBWorK. (I had to ask the Blackboard site administrator to create a fake student for me for testing so this is probably not easy at most sites. )

On our site the shared secret between Blackboard and WeBWorK is set for the entire site on both the Blackboard and WeBWorK side. I have never worked on the Blackboard side of things but perhaps a site admin can set a different shared secret for each course. WeBWorK can certainly do that using course.conf. In that case privacy would be preserved at the expense of added hassle for setting up each course.

Does anyone have experience with Blackboard and the extent of its LTI capabilities?
In reply to Michael Gage

Re: LTI authentication allows any instructor into any course?

by Andras Balogh -
An instructor in Blackboard can "enter student preview" and yes, any instructor then can enter someone's WeBWorK course as student using the same LTI authentication. I actually done that for testing purposes when a colleague of mine had problems with setting up the blackboard link.

The newly created student account in WeBWorK cannot be deleted by the instructor acting as student, so it is not so much snooping around.

I don't know about different shared secrets for different courses.

Linking WeBWorK assignments one-by-one instead of the full course link can make it harder to get into someone's course.

In reply to Michael Shulman

Re: LTI authentication allows any instructor into any course?

by Alex Jordan -
Yes, everything you say is correct, at least with Desire2Learn at PCC. We discovered this too. A D2L user with the ability to create an External Learning Tool link could technically create one pointing to webwork course X, even if that D2L user has nothing to do with webwork course X. Then that person or any student in the D2L course where the ELT link was created could enter webwork course X as a student.

Here is why we are not too concerned.

Only D2L users with the ability to create External Learning Tools links could do this. Doing so intentionally would violate policy, and if the instructor of course X cared, the violator would be in serious trouble.

Doing so accidentally is unlikely to happen. If it does, it temporarily mucks up instructor X's grade book, which is not a big deal in the scheme of things. It also could mean the offending instructor's students might do work in the wrong webwork course. The offending instructor would be on the hook to make that right.

So far (after two years of LTI use) it hasn't happened.