xAPI LRS as oAuth Provider

[kellertobias]

Hello. the company I work for is thinking about implementing xAPI in our product. Do I understand https://github.com/adlnet/xAPI-Spec/blob/1.0.2/xAPI.md#security correctly, that an xAPI LRS can be used to authenticate a user agains using the oAUTH workflow? (so similar to google or facebook social login)?

The goal is to have the user that is known by the other LMS/ LRS to log into our application without the need to explicitly create a user account or sync the list of available users in our application first.

[vbhayden]

OAuth is an option, but not every LRS will have it etc.

TL;DR: LRS credentials themselves are more for distinguishing which system (or LRS tenant, in the case of multi-tenant solutions) is actually sending the xAPI statements.

For your specific situation, an LMS user doesn't typically log into the LRS themselves -- or even need to know that the LRS exists at all tbh. xAPI statements and information about a user are typically sent by a module within the LMS itself, which would have its own LRS credentials for handling that communication. The statement's actor property will identify the user in question as the subject of the statement, so users aren't required to have unique credentials to attribute them to xAPI statements, but there might be an LRS solution out there which takes this approach.

Hope that helps some,
-Trey