Open edX as an LTI provider with Canvas

pdpinch · May 3, 2023, 9:20pm

Is anyone else using the (unsupported, experimental) feature that enables open edX to be an LTI provider?

https://edx.readthedocs.io/projects/edx-platform-technical/en/latest/featuretoggles.html#featuretoggle-FEATURES[‘ENABLE_LTI_PROVIDER’]

We’ve been using it experimentally for over a year now on campus at MIT, and it’s time to make it production-ready.

We have one challenge: our users already have accounts on the production system, and it’s really confusing for user with an account to find themselves logged into the same system, in a different account, over LTI. This seems like an unusual edge case for LTI, but I’m wondering if anyone has ever used it to authenticate to an existing account, instead of an anonymous one.

Peter Pinch
MIT Open Learning

sambapete · May 4, 2023, 2:17am

We do. We have been using it for years.

We serve contents from our Open edX instance to a few Moodle instances on campus through LTI.

To be honest, it has been described as experimental in the documentation for years. I wish the old documentation from previous releases was still accessible so that I could point out the “warning” in the LTI Provider section.

I have been asking for years what is the state of LTI Provider for Open edX. Especially since there was only development for an LTI Consumer XBlock through GitHub - openedx/xblock-lti-consumer

You can look at my questions in a few places:

(there is a link to 12.6.1. Reusing Course Content with LTI — Building and Running an Open edX Course: Koa Release documentation who states that “This feature was a closed pilot experiment. This feature is not supported for new users”)
A question about LTI provider support in Open edX

And to answer your other questions, we only allow anonymous accounts.

pdpinch · May 19, 2023, 7:35pm

Thanks @sambapete. It’s reassuring to know that we’re not the only ones using this feature.

Do you know if any core contributors or contractors have experience with the code involved, who might be able to help answer our questions about authentication?

sambapete · May 19, 2023, 7:54pm

@pdpinch When you ask about authentication, are you referring to LTI authentication or the Future of Open edX authentication?

If it’s the latter there are a couple of Core Contributors chiming it.

If it’s the former, I don’t know. Maybe @nedbat or @giovannicimolin from OpenCraft?

Zachary_Trabookis · September 22, 2023, 1:48pm

@pdpinch @sambapete
Have you figured out how to get this to work with edX authentication for Canvas or other external LMS?
4.20.5. Configuring Open edX User Authentication for LTI — Installing, Configuring, and Running the Open edX Platform documentation

I’ve setup a TPA > LTI Provider Configuration but I don’t see the registration page whenever I attempt to load an LTI external link from Canvas.

It appears that the LTIUser doesn’t exist the first time and therefore this create_lti_user gets called.

github.com

openedx/edx-platform/blob/master/lms/djangoapps/lti_provider/users.py#L31-L38


      
          try:
              lti_user = LtiUser.objects.get(
                  lti_user_id=lti_user_id,
                  lti_consumer=lti_consumer
              )
          except LtiUser.DoesNotExist:
              # This is the first time that the user has been here. Create an account.
              lti_user = create_lti_user(lti_user_id, lti_consumer)

Seems like if the TPA > LTI Provider Configuration authentication worked that the request.user would be the TPA LTI user. This logic below switches the to the LTI User if it notices that the lti_user is not the request.user. I only see the lti_user being created during the lti_launch method and nowhere else.

github.com

openedx/edx-platform/blob/master/lms/djangoapps/lti_provider/users.py#L40-L44


      
          if not (request.user.is_authenticated and
                  request.user == lti_user.edx_user):
              # The user is not authenticated, or is logged in as somebody else.
              # Switch them to the LTI user
              switch_user(request, lti_user, lti_consumer)

You’d think that somewhere in this authentication logic for LTIAuthBackend that it would create that lti_user if it didn’t exist to avoid switching the logged in user if they authenticated over this third-party LTIAuthBackend.

github.com

openedx/edx-platform/blob/master/common/djangoapps/third_party_auth/lti.py#L28


      
          )
          from social_core.backends.base import BaseAuth
          from social_core.exceptions import AuthFailed
          from social_core.utils import sanitize_redirect
          
          log = logging.getLogger(__name__)
          
          LTI_PARAMS_KEY = 'tpa-lti-params'
          
          
          class LTIAuthBackend(BaseAuth):
              """
              Third-party-auth module for Learning Tools Interoperability
              """
          
              name = 'lti'
          
              def start(self):
                  """
                  Prepare to handle a login request.

I even pushed up the common.djangoapps.third_party_auth.lti.LTIAuthBackend to the top of the AUTHENTICATION_BACKENDS list to see if that authentication would run first. This Django documentation mentions that the order of these authentication backends matters because it tries the first one on the list, then if that doesn’t work it goes to the second one until a successful authentication or not is achieved.

# We have this setting enabled.
>>> settings.FEATURES['ENABLE_THIRD_PARTY_AUTH']
True

# Here is our settings for authentication backends. LTIAuthBackend is at the front of the list.
>>> settings.AUTHENTICATION_BACKENDS
['common.djangoapps.third_party_auth.lti.LTIAuthBackend', 'social_auth_backend_bigcommerce.backend.BigCommerceCustomerTrustworksAuth', 'social_auth_backend_bigcommerce.backend.BigCommerceCustomerDefaultAuth', 'social_core.backends.google.GoogleOAuth2', 'social_core.backends.linkedin.LinkedinOAuth2', 'social_core.backends.facebook.FacebookOAuth2', 'social_core.backends.azuread.AzureADOAuth2', 'common.djangoapps.third_party_auth.appleid.AppleIdAuth', 'common.djangoapps.third_party_auth.identityserver3.IdentityServer3', 'common.djangoapps.third_party_auth.saml.SAMLAuthBackend', 'rules.permissions.ObjectPermissionBackend', 'openedx.core.djangoapps.oauth_dispatch.dot_overrides.backends.EdxRateLimitedAllowAllUsersModelBackend', 'bridgekeeper.backends.RulePermissionBackend', 'lms.djangoapps.lti_provider.users.LtiBackend']

It appears the edX Authentication may have been removed in favor of the anonymous authentication. I cannot be for certain about that but I’m looking into what was removed with this commit as this one made it anonymous authentication.

github.com/openedx/edx-platform

This change cleans up the work in progress request at #8176

committed 02:21PM - 12 Jun 15 UTC

mcgachey

+413 -23

This is an initial authentication implementation that allows LTI users to log in… transparently to edX. The behavior is driven by pilot users at Harvard; this was the most requested feature. The patch creates a new database model that maps users' LTI identifiers to newly-created edX accounts. If an LTI launch comes in with a user_id field that is not in the database, a new edX account is created with a random user name and password. This account is then stored in the database, so that it is permanently associated with the LTI user ID. This patch takes a simplistic approach to session management. If a user is logged in with a different account when they perform an LTI launch, they will be logged out and then re-logged in using their LTI account. In order to keep the patch simple, I have split out some refactoring that needs to be done into a separate branch that I'll post once this has been merged. Since we no longer redirect to the login page, we don't need to maintain two separate LTI endpoints (one for the LTI launch and one for authenticated users), or deal with the session management that requires. There are also multiple fetches of the LtiConsumer object (one in the view, one in the signature validation) that the later patch will consolidate into one. This branch fixes the previous conflicts with the test refactoring carried out in PR 8240.

pdpinch · September 22, 2023, 6:04pm

Sorry, I’m not sure what you mean by “this.”

Yes, we have been able to use open edX as an LTI provider for Canvas. It’s worked for over a year across multiple updates, including Palm.

However, we are still stuck with a new account being created whenever someone accesses open edX over LTI. We have started working with OpenCraft to come up with a solution to this. When they have implemented one, they will submit a PR(s) to open edX.

Maybe this answers your question. If not, let me know what you’re trying to do at this time, and I can try to get some more details.

Peter Pinch
MIT Open Learning

Zachary_Trabookis · September 22, 2023, 6:09pm

@pdpinch Exactly the same thing with new account creation with the platform over LTI. I think that we’re going to stay with anonymous login for now.

We too have been serving our edX platform content on Canvas, Blackboard for several years.

sambapete · September 22, 2023, 6:46pm

@pdpinch @Zachary_Trabookis Exact same problem for us when we serve contents to our various Moodle instances.

arunmozhi · September 26, 2023, 7:37am

@Zachary_Trabookis We discovered the same things when @pdpinch asked us to look into getting the user linking to work between Canvas and Open edX. I recently opened a PR that implements auto-linking of the LTI User and edX User accounts using the lis_person_contact_primary_email that is available in the LTI Launches from Canvas.

Yes. We encountered the same thing. So the PR skips the fixing of the LTI Authentication altogether, as it seems unnecessary for the linkage to happen. Moreover, I suspect that the LTI Authentication was tested to work with Blackboard only (or at least tested explicitly) due to 2 reasons:

This blog post about the LTI Auth provider mentions Blackboard only

Derek White, of University of British Columbia (UBC), a key partner in validating our integration with Blackboard, whose team contributed “edX as an LTI Authentication Provider” functionality to Open edX, describes why it’s important for learners to establish their identity in Open edX:

The LTI Provider TPA code parses the field email when populating the details in the registration form. But the LTI Spec reference email only using the field lis_person_contact_primary_email. Which leads me so believe, Blackboard might have used the email field directly instead of using the lis_ convention.

So, in our PR, we settled for a simple configuration flag, that can be turned on which will auto-link any existing user to the LTI user as long as the emails match.

cc: @sambapete

Zachary_Trabookis · September 26, 2023, 12:10pm

@arunmozhi Thanks for showing your PR. So how do we ensure that the ‘ lis_person_contact_email_primary’ is set? Are you testing with Blackboard or other external LMS systems to see if your new logic will persist? I feel like I would want to use this update now. Is it production ready?

arunmozhi · September 26, 2023, 1:48pm

I have tested this with Canvas LMS (as mentioned in the PR testing instructions) and know it works for a regular user added with email into Canvas. For

I think for other systems, the quickest way would be to look at the network tab of the LTI launch request (a POST call) and see if it is a part of the request. In Canvas, I have tested that setting the Privacy level to “Email only” shares the email during the LTI Launch. There might be a similar option in other LMSes.

The PR itself is tested with both unit tests and with Canvas. I would like to think it is production ready, but would suggest waiting until the PR gets merged.

Zachary_Trabookis · September 28, 2023, 8:19pm

@arunmozhi
I made a comment here about having the same email at two separate LTI Consumers and the unique key UNIQUE KEY edx_user_id (edx_user_id), failing because it tries to insert and another record in in the lti_provider_ltiuser table with same edx_user_id due to the finding the user by email.

I don’t think there would ever be a scenario where you’d have the same email at two separate LTI Consumer external LMSs.

github.com/openedx/edx-platform

Review by ztraboo in feat: allow linking LTI users with existing users via LTI Provider

openedx:master ← open-craft:tecoholic/auto-linking-users-from-lti-clients

@tecoholic I noticed that the `UNIQUE KEY `edx_user_id` (`edx_user_id`),` will… fail if you have multiple LTI Consumer connections from the same email on two separate LTI Consumer instances. Probably need to remove this unique key constraint on the database to fix this issue. This is because the `edx_user` id is found based on email. There may not be a case for this because most likely a user won't be enrolled at two separate LMS institutions with the same email address. Let me know what you think about this. ``` CREATE TABLE `lti_provider_ltiuser` ( `id` int(11) NOT NULL AUTO_INCREMENT, `lti_user_id` varchar(255) NOT NULL, `edx_user_id` int(11) NOT NULL, `lti_consumer_id` int(11) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `edx_user_id` (`edx_user_id`), UNIQUE KEY `lti_provider_ltiuser_lti_consumer_id_lti_user_id_d684c543_uniq` (`lti_consumer_id`,`lti_user_id`), CONSTRAINT `lti_provider_ltiuser_edx_user_id_e06b2db5_fk_auth_user_id` FOREIGN KEY (`edx_user_id`) REFERENCES `auth_user` (`id`), CONSTRAINT `lti_provider_ltiuser_lti_consumer_id_c1b42ee3_fk_lti_provi` FOREIGN KEY (`lti_consumer_id`) REFERENCES `lti_provider_lticonsumer` (`id`) ) ENGINE=InnoDB AUTO_INCREMENT=2011 DEFAULT CHARSET=latin1Ω ```

arunmozhi · September 29, 2023, 7:38am

@Zachary_Trabookis Thanks for catching this. You are absolutely right to be worried about this UNIQUE constraint. If an org is used LTI Consumer per course, this constraint will completely break the LTI integration with the auto-linking is enabled. I have updated the model to allow linking multiple lti_users to the same edx_user and commented on the PR as well.

Zachary_Trabookis · September 29, 2023, 1:21pm

@arunmozhi
Thanks for that update. That did seem to resolve the issue with having multiple LTI Consumers with the same edX User.