4

I'm working on building a tin-can based LMS. We launch activites from the LMS according to this guide, with the appropriate query parameters for the activity to communicate back to the LRS xapi endpoint.

https://github.com/RusticiSoftware/launch/blob/master/lms_lrs.md

The thing we're struggling with is authentication of incoming statements. For now we're cheating and just using session cookies as the activities are on the same domain as the LMS, however we want to move to external activities.

I understand that tin-can prefers OAuth 2.0 for this purpose, however I'm not sure what the best token exchange flow should be. My best guess would be

  1. user clicks activity link in the lms
  2. activity url opens with tin can parameters (actor, endpoint etc)
  3. activity redirects user back to lrs for authentication token
  4. lrs redirects back to activity with authentication token plus original tin can params
  5. activity swaps authentication token for access token
  6. lrs returns access token to activity
  7. activity makes tin can statement calls authorised with the access token

However the first few steps seem redundant given that we're coming from the LMS/LRS anyway. Is it possible/recommended to either:

  • Launch the activity with the authentication token already present in the url skipping to step 5
  • Launch the activity with the access token already present in the url skipping straight to step 7

Either of these would reduce the amount of steps needed, but could introduce security risks.

Thoughts?

ricick
  • 5,694
  • 3
  • 25
  • 37
  • 1
    xapi/tincan uses oauth 1.0a: https://github.com/adlnet/xAPI-Spec/issues/447 .. with added 2.0's scope attribute to define authorization scope: https://github.com/adlnet/xAPI-Spec/blob/master/xAPI.md#requirements-22 – tom creighton Jun 13 '14 at 11:52

1 Answers1

4

The launch document doesn't specify any authentication parameters to pass when using OAuth, and only talks about OAuth in the case that the activity provider being launched is registered with the LMS (at which point the LMS is to assume the activity will authenticate via OAuth and not send basic auth information).

https://github.com/RusticiSoftware/launch/blob/master/lms_lrs.md#oauth

So, it is possible to use OAuth with launch, but launch does not provide any help. It simply gives you the endpoint to use, and then you have to look at the XAPI spec itself to see where the OAUth endpoints are relative to the main LRS endpoint.

https://github.com/adlnet/xAPI-Spec/blob/1.0.1/xAPI.md#oauth-endpoints

You'll also need to choose and follow a workflow:

https://github.com/adlnet/xAPI-Spec/blob/1.0.1/xAPI.md#64-security

Finally, if skipping to step 7 would be acceptable to you from a security perspective, why not just use the basic auth token the LMS passes you on the launch link?

patmortech
  • 10,139
  • 5
  • 38
  • 50
Ben.Clark
  • 146
  • 2
  • do you have any pointers about the basic auth token? I can't get my head around what it's meant to be, or what it's used for. – ricick Jun 15 '14 at 09:59
  • asked as a seperate question here: http://stackoverflow.com/questions/24235539/tin-can-launch-auth-parameter – ricick Jun 16 '14 at 01:15