-
-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check for LMS ID first when authenticating from LMS #2645
Conversation
lib/WeBWorK/Authen/LTIAdvantage.pm
Outdated
} | ||
if ($user) { | ||
$user_id_source = $c->stash->{lti_lms_user_id}; | ||
$type_of_source = 'lis_source_did'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This really shouldn't be called the lis_source_did
. That isn't what it is. It is the sub
claim which is a stable locally unique identifier for the user in the LMS. See https://www.imsglobal.org/spec/lti/v1p3#message-claims. Nowhere in the LTI 1.3 specification do they even refer to an lis_sourced_id
. That is a LTI 1.1 thing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that the $type_of_source
should be "database user" in this case. Note that this is only used for the debugging message on line 217 below, so it can contain spaces and be informative. The type of source means the source of the webwork2 user_id
. That is from the user_id
column of the user table in the database in this case, and not the misnamed lis_source_did
column.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, looking at this closer I also see that $user_id_source = $c->stash->{lti_lms_user_id}
is not good. The values of $user_id_source
and $type_of_source
need to be set to something that will work well in the sentence "User id is |$self->{user_id}| (obtained from $user_id_source which was $type_of_source)\n"
. That is all that those variables are used for (other than the usage of $user_id_source
in the case that it is equal to "email").
To be honest, I don't think anything will work in that sentence well in this case. So instead I think the $type_of_source
should just be set to "database user" in this case, and "$user_id_source which was ..." in the other two cases. Then the debugging message changed to "User id is |$self->{user_id}| (obtained from $type_of_source)\n";
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, what I was doing here was the best I could think of for User id is ____ (obtained from ____ which was ____)
. Limiting to that structure, User id is ____ (obtained from lis_source_did which was xxx-yyy-zzz)
seemed OK, assuming someone reading the log would know what that means. But having a different sentence altogether is better.
lib/WeBWorK/Authen/LTIAdvantage.pm
Outdated
} | ||
# First check if we already have a user with the current lis_source_did | ||
my $user = ($c->db->getUsersWhere({ lis_source_did => $c->stash->{lti_lms_user_id} }))[0] // '' | ||
if $c->stash->{lti_lms_user_id}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The $c->stash->{lti_lms_user_id}
can never be set at this point. It isn't set until line 236 later in this same method. You will need to use $claims->{sub}
at this point instead.
lib/WeBWorK/Authen/LTIAdvantage.pm
Outdated
@@ -188,6 +204,8 @@ sub get_credentials ($self) { | |||
[ recitation => 'https://purl.imsglobal.org/spec/lti/claim/custom#recitation' ], | |||
); | |||
|
|||
$self->{lis_source_did} = $c->stash->{lti_lms_user_id} if $c->stash->{lti_lms_user_id}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this set? It will never be needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was my attempt at recording the LMS ID as a new user is created. I didn't track the code, but I assumed the previous block was setting similar things like first_name, and that be setting this here it would trickle down to the lis_source_did
column being filled out for the new user. I'm not surprised if that's wrong, but I couldn't test.
I added a pull request to this branch with some suggested changes. I tested it with Moodle, and it works. I created a user, and signed in. Then I changed the user's email address in the LMS (I have |
I have now also successfully tested my suggested changes with Canvas. |
Thanks for looking at this, and I'll merge your PR soon. I hope to get this in my PCC production server for our winter term. For now at PCC, doing it with LTI 1.3 is enough. |
Suggestions to make using an existing user with given LMS id work.
I merged your PR, thanks again. I may take a stab at the parallel development for LTI 1.1. |
Unfortunately, I don't think this is going to work for LTI 1.1. At least not without adding a new column to the user table in the database. The thing is that the Looking at the LTI 1.1 specification (see section 3 on basic launch data in https://www.imsglobal.org/specs/ltiv1p1p1/implementation-guide) and what Moodle and Canvas send, it seems the only reliable thing to use would be the |
OK, then I guess it's time to lift the "draft" status from this? |
I think it is. |
I applied this to my production server and ran the following test with D2L. Working directly with the database, for one WW course, I removed my user's I have not tested the part of this that records the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now that this is not a draft anymore, I will add my approval. I have already tested it with Moodle and Canvas as stated previously.
I can test this, but it looks good so I can throw my approval. I'm assuming you both have also tested that creation of new users still works with this? @drgrice1 you comment that this won't be reliable for LTI 1.1, because what is being saved is not a user id but more a resource id. But how often would this actually change for a single user? And I assume any change could never match a different existing user? So could we use it to try and catch name changes in the case the LMS doesn't update this resource id for the updated user? |
If you are using grade pass back mode, then it will change for every set you log in with, and there is no guarantee it won't also work for another user. It simply will not work, and trying to use it for this would be completely wrong in any case. Also, yes I have tested it with user creation. |
I just tested with account creation too (with D2L). It worked. And checking the database, the account creation was enough to get the |
Oh nevermind, I see what is going on now, didn't fully understand your previous statement. One thought if we wanted to try to support this in 1.1, could we just make the lis_source_did contain both the user_id and the resource_id, something like |
Anyways here is my approval, I was just trying to think of ways to support 1.1 because I'm a dinosaur who doesn't want to deal with the headache of moving to 1.3 here. Though I guess 1.1 probably going to be dropped in the future at some point anyways by the LMSes? |
My opinion: it would be OK to start treating LTI 1.1 as basically frozen. |
LTI 1.1 is not officially deprecated, but hasn't been supported since June 30, 2021: https://www.1edtech.org/lti-security-announcement-and-deprecation-schedule I'm fine with not adding new functionality to LTI 1.1, especially since some new features might not be possible in 1.1. |
This is an attempt to deal with situations where a user in the LMS undergoes a name change. So now when then try to authenticate form the LMS, we first look at their LMS ID and see if there is a WW user with that same
lis_source_did
.For now I have only made changes for LTI 1.3. But it turns out I can't test this at all for LTI 1.3 because the WW server I have for testing LTI with our D2L test server is not set up for https. So I can only test LTI 1.1 stuff.
Any feedback on this code so far?