Open edX as an LTI provider with Canvas

Is anyone else using the (unsupported, experimental) feature that enables open edX to be an LTI provider?[‘ENABLE_LTI_PROVIDER’]

We’ve been using it experimentally for over a year now on campus at MIT, and it’s time to make it production-ready.

We have one challenge: our users already have accounts on the production system, and it’s really confusing for user with an account to find themselves logged into the same system, in a different account, over LTI. This seems like an unusual edge case for LTI, but I’m wondering if anyone has ever used it to authenticate to an existing account, instead of an anonymous one.

Peter Pinch
MIT Open Learning

1 Like

We do. We have been using it for years.

We serve contents from our Open edX instance to a few Moodle instances on campus through LTI.

To be honest, it has been described as experimental in the documentation for years. I wish the old documentation from previous releases was still accessible so that I could point out the “warning” in the LTI Provider section.

I have been asking for years what is the state of LTI Provider for Open edX. Especially since there was only development for an LTI Consumer XBlock through GitHub - openedx/xblock-lti-consumer

You can look at my questions in a few places:

(there is a link to 12.6.1. Reusing Course Content with LTI — Building and Running an Open edX Course: Koa Release documentation who states that “This feature was a closed pilot experiment. This feature is not supported for new users”)
A question about LTI provider support in Open edX

And to answer your other questions, we only allow anonymous accounts.

1 Like

Thanks @sambapete. It’s reassuring to know that we’re not the only ones using this feature.

Do you know if any core contributors or contractors have experience with the code involved, who might be able to help answer our questions about authentication?

@pdpinch When you ask about authentication, are you referring to LTI authentication or the Future of Open edX authentication?

If it’s the latter there are a couple of Core Contributors chiming it.

If it’s the former, I don’t know. Maybe @nedbat or @giovannicimolin from OpenCraft?

@pdpinch @sambapete
Have you figured out how to get this to work with edX authentication for Canvas or other external LMS?
4.20.5. Configuring Open edX User Authentication for LTI — Installing, Configuring, and Running the Open edX Platform documentation

I’ve setup a TPA > LTI Provider Configuration but I don’t see the registration page whenever I attempt to load an LTI external link from Canvas.

It appears that the LTIUser doesn’t exist the first time and therefore this create_lti_user gets called.

Seems like if the TPA > LTI Provider Configuration authentication worked that the request.user would be the TPA LTI user. This logic below switches the to the LTI User if it notices that the lti_user is not the request.user. I only see the lti_user being created during the lti_launch method and nowhere else.

You’d think that somewhere in this authentication logic for LTIAuthBackend that it would create that lti_user if it didn’t exist to avoid switching the logged in user if they authenticated over this third-party LTIAuthBackend.

I even pushed up the common.djangoapps.third_party_auth.lti.LTIAuthBackend to the top of the AUTHENTICATION_BACKENDS list to see if that authentication would run first. This Django documentation mentions that the order of these authentication backends matters because it tries the first one on the list, then if that doesn’t work it goes to the second one until a successful authentication or not is achieved.

# We have this setting enabled.

# Here is our settings for authentication backends. LTIAuthBackend is at the front of the list.
['common.djangoapps.third_party_auth.lti.LTIAuthBackend', 'social_auth_backend_bigcommerce.backend.BigCommerceCustomerTrustworksAuth', 'social_auth_backend_bigcommerce.backend.BigCommerceCustomerDefaultAuth', '', 'social_core.backends.linkedin.LinkedinOAuth2', 'social_core.backends.facebook.FacebookOAuth2', 'social_core.backends.azuread.AzureADOAuth2', 'common.djangoapps.third_party_auth.appleid.AppleIdAuth', 'common.djangoapps.third_party_auth.identityserver3.IdentityServer3', 'common.djangoapps.third_party_auth.saml.SAMLAuthBackend', 'rules.permissions.ObjectPermissionBackend', 'openedx.core.djangoapps.oauth_dispatch.dot_overrides.backends.EdxRateLimitedAllowAllUsersModelBackend', 'bridgekeeper.backends.RulePermissionBackend', 'lms.djangoapps.lti_provider.users.LtiBackend']

It appears the edX Authentication may have been removed in favor of the anonymous authentication. I cannot be for certain about that but I’m looking into what was removed with this commit as this one made it anonymous authentication.

Sorry, I’m not sure what you mean by “this.”

Yes, we have been able to use open edX as an LTI provider for Canvas. It’s worked for over a year across multiple updates, including Palm.

However, we are still stuck with a new account being created whenever someone accesses open edX over LTI. We have started working with OpenCraft to come up with a solution to this. When they have implemented one, they will submit a PR(s) to open edX.

Maybe this answers your question. If not, let me know what you’re trying to do at this time, and I can try to get some more details.

Peter Pinch
MIT Open Learning

1 Like

@pdpinch Exactly the same thing with new account creation with the platform over LTI. I think that we’re going to stay with anonymous login for now.

We too have been serving our edX platform content on Canvas, Blackboard for several years.

@pdpinch @Zachary_Trabookis Exact same problem for us when we serve contents to our various Moodle instances.