-
Notifications
You must be signed in to change notification settings - Fork 92
CMI 5 Subgroup Meeting Notes – Nov 10th, 2023
Bill McDonald edited this page Dec 15, 2023
·
3 revisions
cmi5 Subgroup Meeting Notes – Nov 10th, 2023
- Andy Johnson
- Ang Boon Chang
- Bill McDonald
- Brian Miller
- George Vilches
- Megan Bohland
- Thomas Turrell-Croft
The group discussed the following items:
Rejection vs Voiding vs Ignoring of Statements out sequence - What do mean when the AU must send statements between these 2 statements (Initialized and Terminated) and what the LMS must do when they are not.
- The LMS MUST Void statements that are NOT rejected AND conflict with the Statement API requirements…
- (Eventual consistency)
- LMS must reject statements sent before Initialized and
"Derived Requirements" (from CATAPULT documentation):
8.1.2.0-2 (d): The LMS must reject xAPI requests that use an authorization token prior to it being fetched, or after a session has been terminated or abandoned.
- The LMS must track that the token was generated and reject tokens that were not created by fetch.
- 'The authorization token returned by the "fetch" URL MUST be limited to the duration of a specific user session.'
- Implication is that the Token is LRS Specific
- The concept of a “session” is LMS specific – the fetch authorization token is basically a “session token”
- What is the length of a session?
- Expiry of a Token (length of time) is a more important from a security standpoint
8.1.2.0-5 (d): The LMS must reject HTTP requests made to the endpoint that do not contain the authorization token in the Authorization headers.