WeBWorK Main Forum

Canvas LTI 1.3 Authentication for students with multiple Canvas roles

Canvas LTI 1.3 Authentication for students with multiple Canvas roles

by Peter Lert -
Number of replies: 5

We are continuing to implement WebWork v2.19 integration with Canvas via LTI 1.3. The latest challenge relates to sorting out roles between the 2 systems.

When users first attempt to access WW using a link properly configured in Canvas (which for a student can create their WW course account) the LTI integration supplies a list of several roles derived from Canvas roles. In terms of the LTI role vocabularies (see https://www.imsglobal.org/spec/lti/v1p3#roles-claim), these lists are a mix of institution roles, context roles, and system roles. It is my impression that the LTI spec encourages this behavior of supplying all of the user's roles as best practice. We see a mix of 3 institution roles: institution/person#Administrator, institution/person#Instructor, and institution/person#Student; 2 context roles: membership#Instructor and membership#Learner; and 1 system role: system/person#User. For most students this claim lists: institution/person#Student, membership#Learner, and system/person#User; and for most instructors the claims lists: institution/person#Instructor, membership#Instructor, and system/person#User. At present we have no TA users, and WW access by Canvas admin users is not a distinct concern.

Our problem occurs for a number of Math students who also serve as peer mentors, tutors, or TAs for courses in other departments. These students have additional roles in Canvas for those other courses, typically institution/person#Instructor. An example claim received from Canvas for one such student includes:

 "https://purl.imsglobal.org/spec/lti/claim/roles" => [
    "http://purl.imsglobal.org/vocab/lis/v2/institution/person#Instructor",
    "http://purl.imsglobal.org/vocab/lis/v2/institution/person#Student",
    "http://purl.imsglobal.org/vocab/lis/v2/membership#Learner",
    "http://purl.imsglobal.org/vocab/lis/v2/system/person#User"
  ],

When one of these students accesses WW for the first time from their Canvas Math course, the LTI 1.3 authentication process in /opt/webwork/webwork2/lib/WeBWorK/Authen/LTIAdvantage.pm attempts to create their account in the WW course. This code, in sub create_user, ignores any listed role from the LTI system vocabulary (system/person#User in the above case) and makes no distinction between listed roles from the context and institution vocabularies (the other three items shown). Sub create_user will create an account for the user's highest WW permission level role, as long as it is not above the WW role "student". This means that an account cannot be created for a student with context role membership#Learner (in the Math course) who also has an institution role institution/person#Instructor (as TA in another department), as shown above.

This is a problem since we want both to have LMS/LTI 1.3 integration with WW (so the privacy and security issues are handled in the University-wide context), and to have routine access to WW for all of our Math students. While our colleagues managing the new Canvas install and buildout for the entire campus have been most supportive, we cannot and should not expect them to make changes to their LTI implementation to handle our specific WW needs.

For our environment, it appears that we are only interested in context roles from Canvas (e.g. membership#Learner), because those will be specific to the Canvas course connecting to a given WW course. A student's role as a TA, or even as an instructor, in a different Canvas course is not relevant for the student's access to WW for the Math course. I assume that the present WW authentication behavior is useful for other environments, however, and conclude that we will need to use a modified version of create_user locally until a new version enabling this option is implemented.

Unless I'm mistaken. Has this issue been addressed, and even better solved, by someone else somewhere? If so, please post about your experience. I can't find a previous mention of this issue in the WW forum, the Canvas forum, or elsewhere. 

In reply to Peter Lert

Re: Canvas LTI 1.3 Authentication for students with multiple Canvas roles

by Alex Jordan -
Perhaps we should only be looking at "membership" roles. This would be at line 375 of  webwork2/lib/WeBWorKAuthen/LTIAdvantage.pm.

I think that in your example, already that last "system/person" role is not considered. But line 375 would be inclusive of the first three.
In reply to Alex Jordan

Re: Canvas LTI 1.3 Authentication for students with multiple Canvas roles

by Peter Lert -

HI Alex,

Yes, exactly. I can't think of a situation where we would want a user in the Canvas course to authenticate to WW using "institution" role(s) rather than  "context" role(s), since the LTI context seems to be the equivalent of the Canvas course. The LTI context vocabulary term "membership" seems to be specific to context roles, so I think we should authenticate the account setup (for students) using only that keyword, so that line 375 would omit the reference to "institution".

If LMS folks follow the LTI best practice, this approach should also work if a school decides to use LTI sub-roles. The LTI spec recommends: "Whenever a platform specifies a sub-role, by best practice it should also include the associated principal role; for example, by best practice, a platform specifying the [sub-role] http://purl.imsglobal.org/vocab/lis/v2/membership/Instructor#TeachingAssistant role should always also specify the [principal] http://purl.imsglobal.org/vocab/lis/v2/membership#Instructor role."

I see that you're one of the most active folks developing WW - thanks so much! - which means that you are likely aware of wider user needs than just what I see - which is now Canvas-specific. It may be that the inclusion of "institution" or "system" roles would be useful for others. One thought that I had was to allow for the LTI role to include the qualifiers of the LTI vocab item after the /lis/v2/: for example, institution/person#Observer, institution/person#Instructor, institution/person#Mentor, membership#Learner, membership#Mentor, membership#Instructor, system/person#SysAdmin. Different schools will use those disignations differently no doubt, but the WW mapping to WW roles should allow for a lot of flexibility. I suppose the cost would be that WW admins in various departments would have to deal with becoming cognizant of the LTI role details and their own school's translation from LMS roles (that they can see in the LMS) to LTI roles (which nobody really sees I think). Still, it may be a safer approach.

Thanks so much for looking into this!  --Peter


In reply to Peter Lert

Re: Canvas LTI 1.3 Authentication for students with multiple Canvas roles

by Peter Lert -

Hi Alex,

It looks like implementing this change has fixed the problem. Student access from Canvas is working now for students with other roles (e.g. TA, grader, mentor, peer tutor) in other Canvas courses. As you suggested, in:

/opt/webwork/webwork2/lib/WeBWorK/Authen/LTIAdvantage.pm

I commented line 375 (as shown here) and added the line that follows:

# grep {m!^http://purl.imsglobal.org/vocab/lis/v2/(membership|institution\/person)#!} @LTIroles;
grep {m!^http://purl.imsglobal.org/vocab/lis/v2/membership#!} @LTIroles;

If this code is incorrect in some way please let me know. It looks like student access from Canvas is working.

Thanks again!         --Peter


In reply to Peter Lert

Re: Canvas LTI 1.3 Authentication for students with multiple Canvas roles

by Alex Jordan -
There is a pull request in the pipeline to address this in a configurable way. You can see it here:
https://github.com/openwebwork/webwork2/pull/2591/files

I'm not sure how to advise you, but one option is to apply that patch instead of the change you made. Either way, be aware that at some point that PR will be merged and then the next time you git pull, you will have a conflict. I do think though, that if you make your local edit match the one in the PR, then you can `git stash; git pull; git stash apply` and it would go smoothly if the local change matches the official one.
In reply to Alex Jordan

Re: Canvas LTI 1.3 Authentication for students with multiple Canvas roles

by Peter Lert -

Thanks Alex. Your solution looks to me like the right approach, given the different ways that institutions use Canvas, and I appreciate your suggestion. Will follow.

Here's hoping you get a chance to enjoy the holiday! -- Peter