Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication outside of Provider app #167

Open
benbarefield opened this issue Nov 10, 2022 · 6 comments
Open

Authentication outside of Provider app #167

benbarefield opened this issue Nov 10, 2022 · 6 comments
Assignees
Labels
enhancement New feature or request

Comments

@benbarefield
Copy link

Thank you very much for this work, it's fantastic! I feel like I'm totally missing something, but maybe not:

Is your feature request related to a problem? Please describe.
I'm using ltijs in serverless mode to add LTI into an already existing app, so I have some endpoints that do authentication of the user (passing a token in the header). I'd like the client to be able to use these same endpoints using the ltik as the token.

Describe the solution you'd like
I'd love to be able to verify (and get the user ID) from a request that contains the ltik in the header (and the session cookie). This could be done by exporting Utils/Auth or providing an additional public API on Provider.

Describe alternatives you've considered
Either rewriting things to be hosted out of the ltijs express instance or cloning Utils/Auth for my own purposes.

@benbarefield benbarefield added the enhancement New feature or request label Nov 10, 2022
@benbarefield
Copy link
Author

I'm realizing that the ltik is just a jwt, and I can get the information I need from that. I'm going to leave this open until I'm 100% sure about that because there may still be something I'm missing.

@Cvmcosta
Copy link
Owner

Hello @benbarefield I don't think i understand your question. What do you mean by Verify and get the user ID? You have access to the ID Token (res.locals.token) in any endpoint created by Ltijs (lti.app.get(...)) that is accessed using the ltik key.

@benbarefield
Copy link
Author

benbarefield commented Nov 12, 2022

@Cvmcosta The endpoints I'm accessing are not created by Ltijs, but this was mostly a lack of understand about the ltik being a jwt, and a misreading of the code that was using Auth.verify. I think I can just close this, sorry for the bother.

@benbarefield
Copy link
Author

Hi @Cvmcosta, I think I have a better understanding of things now, and this is still, maybe, an issue I need to solve.
I'm using ltijs as middleware for a pre-existing app I have built (like https://cvmcosta.me/ltijs/#/provider?id=deploying-ltijs-as-part-of-another-server).

So I'm trying to determine the best way to make it so that a session can survive a page refresh (my tool is opened in a separate tab, not an iframe within the LMS). It'd be great if I could make sure of the httpOnly cookies that ltijs provides, but I think I'd need to go through a similar process as in this if block

if (!ltik) {
to recreate the ltik.

@ssciolla
Copy link

ssciolla commented Dec 5, 2022

Hi @benbarefield, not exactly sure what you're trying to do or what architecture or frameworks you're dealing with, but something like what our team did may be what you're looking for. Rather than rely on the ltik for guarding your API endpoints, basically you hook into your own authentication service and create your own JWT/cookies in the provider.onConnect callback. See https://github.com/tl-its-umich-edu/canvas-course-manager-next/blob/74c449c5bb02f92cdb889bb5490e2601f653d888/ccm_web/server/src/lti/lti.service.ts#L83-L96 This was inspired by a pattern we saw in this project: https://github.com/txstate-etc/attendance-node

@benbarefield
Copy link
Author

@ssciolla absolutely, I saw one of your previous posts and looked at this code: it was helpful, thanks! We didn't roll our own auth system (using AWS Cognito), so there's some challenges involved in that. But writing this response is making me realize I should double check some of my assumptions about Cognito to see how practical this approach would be.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants