-
Notifications
You must be signed in to change notification settings - Fork 39
Deploy: Configuration for LTI 1.3 Deployment
This document will soon be replaced when MyLA's new feature for LTI v1.3 configuration by URL is released. To preview the new document, see: Deploy: Configuration for LTI 1.3 Deployment NEW.
Your patience while these updates are made is appreciated. Your feedback is welcome.
To complete the steps in the next section, MyLA must be configured according to the project's README.md
document. It needs to be installed on a server that is accessible by Canvas.
To enable LTI launch requests, MyLA needs a public and private RS256 key pair in PEM format. For some LTI features, the LMS need to use a JWK format of the public key to communicate with MyLA, so that may be needed as well. For the most part, the JWK public key should not be used. It's safer to give a URL to MyLA's /lti/jwks/
service instead, which generates the JWK public key from the PEM public key on demand. It is still generated here mostly for the purposes of troubleshooting the configuration.
π‘ β When configuring MyLA's LTI support it is important to note that the two formats of public keys are used for different purposes.
- The public key PEM is used for LTI launch requests.
- The public key JWK is used by the LMS for secure communication with an already running LTI. That is usually to support LTI Advantage features, which MyLA does not yet support
There are currently two ways to generate those three key files.
MyLA includes a key generation program, createkeys
, that is available via the Django management tool, manage.py
. While MyLA is running in a Docker container, enter the following command to create key files:
docker exec -it student_dashboard python manage.py createkeys
The program will create the new key files in the same directory that holds the env.json
configuration file.
It will create three files with the suffixes _private.pem
and _public.pem
. By default, the two files will be named with a timestamp of the format YYYYmmddHHMMSS
, followed by one of the suffixes. To specify a name for the key files instead of a timestamp, use the --basename
option:
docker exec -it student_dashboard python manage.py createkeys --basename example
That will create key files named example_private.pem
and example_public.pem
.
A JWK (JSON Web Key) is a JSON data structure that represents a cryptographic key. In the LTI lifecycle, when the LMS needs to send requests to the tool, it must encrypt them with the tool's public key. In most cases, the LMS may request the public key from the tool using an unencrypted (but still secure) request. The tool will respond to the request by sending its public key encoded as part of a JWK Set (JWKS), which is an array of multiple JWK values.
Because the retrieval of the JWK is handled automatically, it is extremely rare that it would ever need to be saved in a file or manually inserted into an LTI configuration. However, some old LMSs may require it. This section is to support those old LMSs, otherwise it is useful for reference and debugging purposes.
The best and recommended way to get MyLA's JWK is to request it from the app's JWKS service. That will be at the URL https://myla-host.example.edu/lti/jwks/
. This can be requested from a web browser or a shell tool, like curl
. Note that the output from this service is JWKS, a set of JWK values. The set is a JSON array named keys
and the first value in the array is the JWK itself. For example, in the following excerpt or resultsβ¦
{"keys": [{"e": "AQAB", "kid": "E7TrLKmβ¦lNtEP44", "kty": "RSA", "n": "trfzXBAβ¦1gzJdOk", "alg": "RS256", "use": "sig"}]}
β¦the JWK is the valueβ¦
{"e": "AQAB", "kid": "E7TrLKmβ¦lNtEP44", "kty": "RSA", "n": "trfzXBAβ¦1gzJdOk", "alg": "RS256", "use": "sig"}
If the curl
and jq
shell tools are available, an example of a command to get the JWK from the set is:
curl https://myla-host.example.edu/lti/jwks/ | jq -c '.keys[0]'
π§ This section is for a new feature that has not yet been released.
MyLA includes a key generation program, getjwk
, that is available via the Django management tool, manage.py
. While MyLA is running in a Docker container, enter the following command to store the JWK in a file:
docker exec -it student_dashboard python manage.py getjwk
The program will create a JWK file in the same directory that holds the env.json
configuration file. It will be based on the public key that was available the last time MyLA was started.
It will create a file with the suffix _public-jwk.json
. By default, the file will be named with a timestamp of the format YYYYmmddHHMMSS
, followed by the suffix. To specify a name for the JWK file instead of a timestamp, use the --basename
option:
docker exec -it student_dashboard python manage.py getjwk --basename example
That will create a JWK file named example_public-jwk.json
.
Alternatively, if the JWK doesn't need to be saved to a file, getjwk
can dump it to the standard output of the terminal using the --dump
option:
docker exec -it student_dashboard python manage.py getjwk --dump
Note that the --basename
and --dump
options are mutually exclusive.
- The CSP block of the settings can be copied and should work "as-is".
- Change
"REPORT_ONLY"
to false if there are no console errors in the browser when testing - Also set
"CSRF_COOKIE_SECURE": true
when running on HTTPS.
β οΈ β The hostnamemyla-host.example.edu
appears several times in the following configuration examples. It must be replaced with the hostname of the computer on which MyLA is being tested.
-
There are a number of LTI settings including
-
"STUDENT_DASHBOARD_LTI" : true
This setting enables LTI support.
-
-
Create Developer keys (Go to Canvas "Key Settings" page, following these instructions)
Use ONE of the two following sections, "Manual Entry" or "Paste JSON"
Canvas currently offers three methods for entering the parameters for LTI key configuration:
- Paste JSON β This is the currently recommended method for MyLA
- Manual Entry β This works, but is not recommended, because it is easy to make mistakes
- Enter URL β MyLA support for this method is coming soon, but it's not available yet
-
Copy the following JSON and paste into the "LTI 1.3 Configuration" field
- Change the
title
anddescription
attributes, if desired.
π‘ β In the near future, the LTI specification will require JWK to be specified by URL only. To ensure compatibility, do not paste the contents of the JWK into a configuration property. Only use the
public_jwk_url
property to provide a URL to MyLA's JWK, likehttps://myla-host.example.edu/lti/jwks/
.{ "title": "My Learning Analytics Test", "scopes": [ "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem", "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly", "https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly", "https://purl.imsglobal.org/spec/lti-ags/scope/score", "https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly", "https://canvas.instructure.com/lti/public_jwk/scope/update", "https://canvas.instructure.com/lti/account_lookup/scope/show", "https://canvas.instructure.com/lti/data_services/scope/create", "https://canvas.instructure.com/lti/data_services/scope/show", "https://canvas.instructure.com/lti/data_services/scope/update", "https://canvas.instructure.com/lti/data_services/scope/list", "https://canvas.instructure.com/lti/data_services/scope/destroy", "https://canvas.instructure.com/lti/data_services/scope/list_event_types", "https://canvas.instructure.com/lti/feature_flags/scope/show" ], "extensions": [ { "domain": "myla-host.example.edu", "platform": "canvas.instructure.com", "settings": { "platform": "canvas.instructure.com", "placements": [ { "default": "disabled", "placement": "course_navigation", "message_type": "LtiResourceLinkRequest", "target_link_uri": "https://myla-host.example.edu/lti/launch/" } ] }, "privacy_level": "public" } ], "public_jwk": {}, "description": "This is LTI key for LTI1.3", "custom_fields": { "user_username": "$User.username", "canvas_user_id": "$Canvas.user.id", "canvas_course_id": "$Canvas.course.id" }, "public_jwk_url": "https://myla-host.example.edu/lti/jwks/", "target_link_uri": "https://myla-host.example.edu/lti/launch/", "oidc_initiation_url": "https://myla-host.example.edu/lti/login/" }
- Change the
-
Redirect URIs:
https://myla-host.example.edu/lti/launch/
-
Target Link URI:
https://myla-host.example.edu/lti/launch/
-
OpenID Connect Initiation Url:
https://myla-host.example.edu/lti/login/
-
JWK Method: Public JWK URL
-
Public JWK URL:
https://myla-host.example.edu/lti/jwks/
π‘ β In the near future, the LTI specification will require JWK to be specified by URL only. To ensure compatibility, do not paste the contents of the JWK into a configuration property. Only use the
public_jwk_url
property to provide a URL to MyLA's JWK, likehttps://myla-host.example.edu/lti/jwks/
.
-
-
LTI Advantage Services: Enable all toggles
-
Additional Settings
-
Domain:
myla-host.example.edu
-
Custom Fields
user_username=$User.username canvas_user_id=$Canvas.user.id canvas_course_id=$Canvas.course.id
-
Privacy Level: Public
-
Placements: Choose "Course Navigation" only, remove any others added by default
- Course Navigation section
- Target Link URI:
https://myla-host.example.edu/lti/launch/
- Target Link URI:
- Course Navigation section
-
Click the "Save" button
-
Find the new key and click the β (pencil) icon to edit it.
-
Select the "Paste JSON" method if it's not selected already
-
In the "LTI 1.3 Configuration" field, find the "placements" array
-
In that array, add the following to the first object:
"default": "disabled",
That will prevent the tool from being installed in courses by default.
-
Whichever method in the section above is used to enter the configuration parameters, the following steps
-
Change "State" from OFF to ON for the newly created key
-
Install the MyLA tool in a course, subaccount, or root account as preferred, since with the default: disabled option the tool won't enabled in course navigation
-
Create new External App: "Settings -> Apps -> +App"
-
Choose "Configuration Type: by ClientID"
-
Insert "ClientID" from the created Key (value from Details column)
-
Update the settings in the
LTI_CONFIG
section ofenv.json
on the server hosting MyLA:"https://canvas.instructure.com": [ { "/* requests without ID from this platform use this config by default": "*/", "default": true, "/* from Canvas: Developer Keys -> value from Details column": "*/", "client_id": "ππππππππππππππ", "/* static auth_login_url URL from this platform": "*/", "auth_login_url": "http://canvas.instructure.com/api/lti/authorize_redirect", "/* static auth_token_url URL from this platform": "*/", "auth_token_url": "http://canvas.instructure.com/login/oauth2/token", "/* static URL to get public key from this platform": "*/", "key_set_url": "http://canvas.instructure.com/api/lti/security/jwks", "/* this tool's private key ": "*/", "private_key_file": "/secrets/example_private.pem", "/* this tool's public key ": "*/", "public_key_file": "/secrets/example_public.pem", "/* Go to Canvas where this tool installed, click on the setting button (a gear icon, similar to 'βοΈ'), click 'Deployment Id', copy it, and paste here": "*/", "deployment_ids": [ "π:ππππππππππππππππππππππππππππππππππππππππ" ] } ]
-
Enable the LTI in the Course navigation, depending on where the LTI tool (course, root account, or subaccount) has been installed
- Go to the course where MyLA was installed
- Settings -> Navigation
- Enable the MyLA tool and save
- Tool will appear in left navigation
After the configuration changes are complete, MyLA's Docker containers on the server will probably need to be restarted in order for them to take effect.
After launch the tool from course navigation if the course doesn't exits in MyLA DB it will be created only by instructor and MyLA Django admin's only and UI may display message something like "Course data is not pulled in yet". Login as admin by going to django_auth
table and change the is_superuser
column value to 1. Run the cron the course data will be pulled in and when the LTI launched the courses view page should be shown.
Use the "Act as a User" feature in that Canvas course, click the link in the Navigation, and the application will be accessed.
There is a setting ENABLE_BACKEND_LOGIN
which is set to False
now if LTI or SAML are enabled. Setting this to True
the standard internal login/logout will work. This should only be enabled for testing.
MyLA uses a third party module that implements LTI 1.3 workflows and validation. See the pylti1.3 GitHub repo for additional documentation.