Open edX as an LTI provider with Canvas

pdpinch · May 3, 2023, 9:20pm

Is anyone else using the (unsupported, experimental) feature that enables open edX to be an LTI provider?

https://edx.readthedocs.io/projects/edx-platform-technical/en/latest/featuretoggles.html#featuretoggle-FEATURES[‘ENABLE_LTI_PROVIDER’]

We’ve been using it experimentally for over a year now on campus at MIT, and it’s time to make it production-ready.

We have one challenge: our users already have accounts on the production system, and it’s really confusing for user with an account to find themselves logged into the same system, in a different account, over LTI. This seems like an unusual edge case for LTI, but I’m wondering if anyone has ever used it to authenticate to an existing account, instead of an anonymous one.

Peter Pinch
MIT Open Learning

sambapete · May 4, 2023, 2:17am

We do. We have been using it for years.

We serve contents from our Open edX instance to a few Moodle instances on campus through LTI.

To be honest, it has been described as experimental in the documentation for years. I wish the old documentation from previous releases was still accessible so that I could point out the “warning” in the LTI Provider section.

I have been asking for years what is the state of LTI Provider for Open edX. Especially since there was only development for an LTI Consumer XBlock through GitHub - openedx/xblock-lti-consumer

You can look at my questions in a few places:

(there is a link to 12.6.1. Reusing Course Content with LTI — Building and Running an Open edX Course: Koa Release documentation who states that “This feature was a closed pilot experiment. This feature is not supported for new users”)
A question about LTI provider support in Open edX

And to answer your other questions, we only allow anonymous accounts.

pdpinch · May 19, 2023, 7:35pm

Thanks @sambapete. It’s reassuring to know that we’re not the only ones using this feature.

Do you know if any core contributors or contractors have experience with the code involved, who might be able to help answer our questions about authentication?

sambapete · May 19, 2023, 7:54pm

@pdpinch When you ask about authentication, are you referring to LTI authentication or the Future of Open edX authentication?

If it’s the latter there are a couple of Core Contributors chiming it.

If it’s the former, I don’t know. Maybe @nedbat or @giovannicimolin from OpenCraft?

Zachary_Trabookis · September 22, 2023, 1:48pm

@pdpinch @sambapete
Have you figured out how to get this to work with edX authentication for Canvas or other external LMS?
4.20.5. Configuring Open edX User Authentication for LTI — Installing, Configuring, and Running the Open edX Platform documentation

I’ve setup a TPA > LTI Provider Configuration but I don’t see the registration page whenever I attempt to load an LTI external link from Canvas.

It appears that the LTIUser doesn’t exist the first time and therefore this create_lti_user gets called.

github.com

openedx/edx-platform/blob/master/lms/djangoapps/lti_provider/users.py#L31-L38


      
          try:
              lti_user = LtiUser.objects.get(
                  lti_user_id=lti_user_id,
                  lti_consumer=lti_consumer
              )
          except LtiUser.DoesNotExist:
              # This is the first time that the user has been here. Create an account.
              lti_user = create_lti_user(lti_user_id, lti_consumer)

Seems like if the TPA > LTI Provider Configuration authentication worked that the request.user would be the TPA LTI user. This logic below switches the to the LTI User if it notices that the lti_user is not the request.user. I only see the lti_user being created during the lti_launch method and nowhere else.

github.com

openedx/edx-platform/blob/master/lms/djangoapps/lti_provider/users.py#L40-L44


      
          if not (request.user.is_authenticated and
                  request.user == lti_user.edx_user):
              # The user is not authenticated, or is logged in as somebody else.
              # Switch them to the LTI user
              switch_user(request, lti_user, lti_consumer)

You’d think that somewhere in this authentication logic for LTIAuthBackend that it would create that lti_user if it didn’t exist to avoid switching the logged in user if they authenticated over this third-party LTIAuthBackend.

github.com

openedx/edx-platform/blob/master/common/djangoapps/third_party_auth/lti.py#L28


      
          )
          from social_core.backends.base import BaseAuth
          from social_core.exceptions import AuthFailed
          from social_core.utils import sanitize_redirect
          
          log = logging.getLogger(__name__)
          
          LTI_PARAMS_KEY = 'tpa-lti-params'
          
          
          class LTIAuthBackend(BaseAuth):
              """
              Third-party-auth module for Learning Tools Interoperability
              """
          
              name = 'lti'
          
              def start(self):
                  """
                  Prepare to handle a login request.

I even pushed up the common.djangoapps.third_party_auth.lti.LTIAuthBackend to the top of the AUTHENTICATION_BACKENDS list to see if that authentication would run first. This Django documentation mentions that the order of these authentication backends matters because it tries the first one on the list, then if that doesn’t work it goes to the second one until a successful authentication or not is achieved.

# We have this setting enabled.
>>> settings.FEATURES['ENABLE_THIRD_PARTY_AUTH']
True

# Here is our settings for authentication backends. LTIAuthBackend is at the front of the list.
>>> settings.AUTHENTICATION_BACKENDS
['common.djangoapps.third_party_auth.lti.LTIAuthBackend', 'social_auth_backend_bigcommerce.backend.BigCommerceCustomerTrustworksAuth', 'social_auth_backend_bigcommerce.backend.BigCommerceCustomerDefaultAuth', 'social_core.backends.google.GoogleOAuth2', 'social_core.backends.linkedin.LinkedinOAuth2', 'social_core.backends.facebook.FacebookOAuth2', 'social_core.backends.azuread.AzureADOAuth2', 'common.djangoapps.third_party_auth.appleid.AppleIdAuth', 'common.djangoapps.third_party_auth.identityserver3.IdentityServer3', 'common.djangoapps.third_party_auth.saml.SAMLAuthBackend', 'rules.permissions.ObjectPermissionBackend', 'openedx.core.djangoapps.oauth_dispatch.dot_overrides.backends.EdxRateLimitedAllowAllUsersModelBackend', 'bridgekeeper.backends.RulePermissionBackend', 'lms.djangoapps.lti_provider.users.LtiBackend']

It appears the edX Authentication may have been removed in favor of the anonymous authentication. I cannot be for certain about that but I’m looking into what was removed with this commit as this one made it anonymous authentication.

github.com/openedx/edx-platform

This change cleans up the work in progress request at #8176

committed 02:21PM - 12 Jun 15 UTC

mcgachey

+413 -23

This is an initial authentication implementation that allows LTI users to log in… transparently to edX. The behavior is driven by pilot users at Harvard; this was the most requested feature. The patch creates a new database model that maps users' LTI identifiers to newly-created edX accounts. If an LTI launch comes in with a user_id field that is not in the database, a new edX account is created with a random user name and password. This account is then stored in the database, so that it is permanently associated with the LTI user ID. This patch takes a simplistic approach to session management. If a user is logged in with a different account when they perform an LTI launch, they will be logged out and then re-logged in using their LTI account. In order to keep the patch simple, I have split out some refactoring that needs to be done into a separate branch that I'll post once this has been merged. Since we no longer redirect to the login page, we don't need to maintain two separate LTI endpoints (one for the LTI launch and one for authenticated users), or deal with the session management that requires. There are also multiple fetches of the LtiConsumer object (one in the view, one in the signature validation) that the later patch will consolidate into one. This branch fixes the previous conflicts with the test refactoring carried out in PR 8240.

pdpinch · September 22, 2023, 6:04pm

Sorry, I’m not sure what you mean by “this.”

Yes, we have been able to use open edX as an LTI provider for Canvas. It’s worked for over a year across multiple updates, including Palm.

However, we are still stuck with a new account being created whenever someone accesses open edX over LTI. We have started working with OpenCraft to come up with a solution to this. When they have implemented one, they will submit a PR(s) to open edX.

Maybe this answers your question. If not, let me know what you’re trying to do at this time, and I can try to get some more details.

Peter Pinch
MIT Open Learning

Zachary_Trabookis · September 22, 2023, 6:09pm

@pdpinch Exactly the same thing with new account creation with the platform over LTI. I think that we’re going to stay with anonymous login for now.

We too have been serving our edX platform content on Canvas, Blackboard for several years.

sambapete · September 22, 2023, 6:46pm

@pdpinch @Zachary_Trabookis Exact same problem for us when we serve contents to our various Moodle instances.