WeBWorK Main Forum

Canvas LTI 1.3 Authentication for students with multiple Canvas roles

Re: Canvas LTI 1.3 Authentication for students with multiple Canvas roles

by Peter Lert -
Number of replies: 3

HI Alex,

Yes, exactly. I can't think of a situation where we would want a user in the Canvas course to authenticate to WW using "institution" role(s) rather than  "context" role(s), since the LTI context seems to be the equivalent of the Canvas course. The LTI context vocabulary term "membership" seems to be specific to context roles, so I think we should authenticate the account setup (for students) using only that keyword, so that line 375 would omit the reference to "institution".

If LMS folks follow the LTI best practice, this approach should also work if a school decides to use LTI sub-roles. The LTI spec recommends: "Whenever a platform specifies a sub-role, by best practice it should also include the associated principal role; for example, by best practice, a platform specifying the [sub-role] http://purl.imsglobal.org/vocab/lis/v2/membership/Instructor#TeachingAssistant role should always also specify the [principal] http://purl.imsglobal.org/vocab/lis/v2/membership#Instructor role."

I see that you're one of the most active folks developing WW - thanks so much! - which means that you are likely aware of wider user needs than just what I see - which is now Canvas-specific. It may be that the inclusion of "institution" or "system" roles would be useful for others. One thought that I had was to allow for the LTI role to include the qualifiers of the LTI vocab item after the /lis/v2/: for example, institution/person#Observer, institution/person#Instructor, institution/person#Mentor, membership#Learner, membership#Mentor, membership#Instructor, system/person#SysAdmin. Different schools will use those disignations differently no doubt, but the WW mapping to WW roles should allow for a lot of flexibility. I suppose the cost would be that WW admins in various departments would have to deal with becoming cognizant of the LTI role details and their own school's translation from LMS roles (that they can see in the LMS) to LTI roles (which nobody really sees I think). Still, it may be a safer approach.

Thanks so much for looking into this!  --Peter


In reply to Peter Lert

Re: Canvas LTI 1.3 Authentication for students with multiple Canvas roles

by Peter Lert -

Hi Alex,

It looks like implementing this change has fixed the problem. Student access from Canvas is working now for students with other roles (e.g. TA, grader, mentor, peer tutor) in other Canvas courses. As you suggested, in:

/opt/webwork/webwork2/lib/WeBWorK/Authen/LTIAdvantage.pm

I commented line 375 (as shown here) and added the line that follows:

# grep {m!^http://purl.imsglobal.org/vocab/lis/v2/(membership|institution\/person)#!} @LTIroles;
grep {m!^http://purl.imsglobal.org/vocab/lis/v2/membership#!} @LTIroles;

If this code is incorrect in some way please let me know. It looks like student access from Canvas is working.

Thanks again!         --Peter


In reply to Peter Lert

Re: Canvas LTI 1.3 Authentication for students with multiple Canvas roles

by Alex Jordan -
There is a pull request in the pipeline to address this in a configurable way. You can see it here:
https://github.com/openwebwork/webwork2/pull/2591/files

I'm not sure how to advise you, but one option is to apply that patch instead of the change you made. Either way, be aware that at some point that PR will be merged and then the next time you git pull, you will have a conflict. I do think though, that if you make your local edit match the one in the PR, then you can `git stash; git pull; git stash apply` and it would go smoothly if the local change matches the official one.
In reply to Alex Jordan

Re: Canvas LTI 1.3 Authentication for students with multiple Canvas roles

by Peter Lert -

Thanks Alex. Your solution looks to me like the right approach, given the different ways that institutions use Canvas, and I appreciate your suggestion. Will follow.

Here's hoping you get a chance to enjoy the holiday! -- Peter