Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-43698

Add support for accepting an LTI13 KeySet url from Tools

    XMLWordPrintable

    Details

    • 20 status:
      Please Merge
    • 19 status:
      Please Merge
    • Test Plan:
      Hide

      I have updated all the test plans to reference the latest IMS Reference implementation and Tsugicloud config and work through everything using keyset url instead of public / private key in this commit:

      basiclti-docs/resources/docs/Advantage_TestPlan.xls

      https://github.com/sakaiproject/sakai/blob/master/basiclti/docs/IMS_RI.md

      https://github.com/sakaiproject/sakai/blob/master/basiclti/docs/TSUGI.md

       

       

      Show
      I have updated all the test plans to reference the latest IMS Reference implementation and Tsugicloud config and work through everything using keyset url instead of public / private key in this commit: basiclti-docs/resources/docs/Advantage_TestPlan.xls https://github.com/sakaiproject/sakai/blob/master/basiclti/docs/IMS_RI.md https://github.com/sakaiproject/sakai/blob/master/basiclti/docs/TSUGI.md    

      Description

      In the initial LTI 1.3 specification, support for the ability for a tool to provide its public key through a URL was not a required feature.  But since the release of the spec, it has become "in effect" required.  Desire2Learn refused to register a tool without a KeySet URL and once tools figured out how to produce a KeySet URL - they no longer wanted to provide public keys outside of a KeySet URL.  The KeySet URL is a universally better solution because it allows the tool to rotate its public / private key with no involvement from the LMS. 

      So the time has come for Sakai to implement and support this feature.   Thankfully since Sakai-19 SAK-40531 - the necessary data model fields are in our database so it should be possible to roll this out in a minor release for both Sakai 19 and Sakai 20.

      When this feature is done, the preferred (more convenient and more secure) way to get a public key from the tool is through the Tool's keyset URL.  The tool should provide the keyset URL for you to enter when you are first creating the LTI 1.3 tool in the admin UI.  If there is a keyset url in the "Add" screen, Sakai will not auto-generate the legacy public / private key pair for the tool.  If the tool can't provide the keyset url when the tool is being added, you can add the tool and edit the entry to add the keyset later and delete the auto-generated public / private key pair.   Once there is a keyset url for a tool - the tool public / private key entry will be ignored and the runtime will always retrieve the tool public key from the tool's keyset URL based on the incoming kid in the JWT id_token.

       

        Gliffy Diagrams

          Zeplin

            Attachments

              Issue Links

                Activity

                  People

                  Assignee:
                  csev Charles Severance
                  Reporter:
                  csev Charles Severance
                  Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                    Dates

                    Created:
                    Updated:
                    Resolved:

                      Git Integration