Skip to main content

Authentication

note

This Authentication Scheme is for legacy (LTI-based) SDK components. We are transitioning to pure JS and React SDK components in v2.

You are responsible for ensuring that requests are signed using your secret. Here is a short list of LTI parameters that you should be validating before signing off on a launch request.

  1. The user is logged in with the same email they are attempting to launch with.
    1. lis_person_contact_email_primary and user_id
  2. The experience being launch (assessment player, item editor, exam builder, etc.) is appropriate for that user
    1. launch_url matches a known list per experience
  3. If an editing experience is being launched, the user has permission to create content in the target workspace
    1. oauth_consumer_key matches the APP_ID you would expect for the user
      1. See Terminology for details on how applications relate with workspaces.
  4. If the student experience is being launched, they have permission to take the exam being launched
  5. The user role being launched with is appropriate for that user
    1. roles is set to "Learner" or "Instructor" as appropriate.

In practice you will have code that looks something like

Client-Side Code

const service = new window.CampfireSDK.ItemEditor({
// ...
signingFunction:
  (launchUrl) => async (params) => {
    try {
      // this is a web request that return a signature
      // for the passed params
      const signer = await signCampfireLti(
        launchUrl,
        params,
      );

      return {
        ...params,
        oauth_signature: signer.data?.signCampfireLti.signature ?? "",
      };
    } catch (e) {
      console.error(e);
    }

    return params;
  },
})

Server-Side Code

import { generate } from "oauth-signature";

function mySigningEndpoint(req, current_user) {

  // check if user is who they say they are
  if (req.params.lis_person_contact_email_primary != current_user.email) {
    return { error: "wrong user" }
  }
  
  // check if user can launch the requested experience
  // launch_experience == "ITEM_EDITOR", etc.
  const launch_experience = get_launch_experience(req.params.launchUrl)
  if ( 
    !user_can_launch_experience(current_user, launch_experience)
   ) {
     return { error: "user not authorized to launch " + launch_experience }
   }
   
   // check if user has appropriate roles
   if (user_is_student(current_user)) {
     if (req.params.roles !== ["Learner"]) {
       return { error: "student is not authorized to launch as teacher" }
     }
   }
   
   // if the user is launching an exam, they have permission to
   // take (if they are a student) or administer (if they are a teacher)
   // that exam
   if (launch_experience === "ASSESSMENT_PLAYER") {
     const examId = getExamIdFromLaunchUrl(params.req.launchUrl);
     
     if ( !user_can_access_exam(current_user, exam_id ) {
       return { error: "user cannot access exam" } 
     }
   }
   
   const oauth_signature = generate(
      "POST",
      req.params.launchUrl,
      req.params,
      options.secretKey,
      undefined,
      { encodeSignature: false }
    )  
    
    return {
      ...params,
      oauth_signature
    }
}

Session Timeout

All launch session tokens expire in 8 hours.