General plugins

New contrib: LTI Provider

 
 
François Lizotte
Re: New contrib: LTI Provider
 

Juan,

I ran into a rather scary problem today. I set up a course in Moodle (2.4) as LTI Provider and invited different Moodle admins to connect to it from their Moodle sites. One person connected under a wrong identity (excuse my English).

Let's call them Alice and Beth. They both have a Moodle site (version 2.2) with admin role hosted on the same server. Alice roamed to my Moodle course through external tool activity (LTI) at 16:08 and didn't logout according to Moodle's log. Later Beth tried to access the same way, but got authentified under Alice's name. Wrong identity! In the log, I see a second login (16:37) under Alice's name. No Beth user created.

Both users come from different IP addresses. How can one connect under someone else's identity?

Of course, they both connect with the same secret key.

Any idea?

 

 

 

 
Average of ratings: -
François Lizotte
Re: New contrib: LTI Provider
 

update

We had a similar case yesterday with another user who was connected with MY identity on the provider Moodle course.

And Beth tried again today and was still under Alice's identity.

So it is not just a one time issue.

My Moodle log showing a login when I was asleep last night. wink

Log

 

 
Average of ratings: -
Picture of Charles Severance
Re: New contrib: LTI Provider
Group Developers

Are these coming from one consumer system or from more than one consumer system?

 
Average of ratings: -
François Lizotte
Re: New contrib: LTI Provider
 

Hi Charles,

They connect from diffrent consumer Moodle sites and they all have the same key.

I'm glad it's just a big demo of LTI's potential.

François

 

 
Average of ratings: -
Picture of Charles Severance
Re: New contrib: LTI Provider
Group Developers

Ah - Then this is likely a bug that I found and fixed in my version of the code.  

The problem is that they need different keys and code in the provider needs to differentiate the same user_id from different systems.  If you check the two accounts you will see that they have the same user_id value (i.e. primary key in the Moodle system).

I will try to get the patches to Juan via github and come back here to report.

 
Average of ratings: -
Picture of Charles Severance
Re: New contrib: LTI Provider
Group Developers

OK - I just checked in my changed and sent a pull request to Juan.  Here is my fixed code:

https://github.com/csev/moodle-local_ltiprovider

A key is that two Moodle consumers talking to one Moodle provider must use different keys - but can use the same secret.   The key is what "name spaces" the user accounts.

 
Average of ratings: -
François Lizotte
Re: New contrib: LTI Provider
 

Wow, I really appreciate. I'd like to share more information. My technical skills are limited. I'm just a power user.

From my provider I got a URL and a shared secret. LTI settings

Then when I set my consumer, I logically filled these two fields. But it was not working.

LTI settings 2

 

My provider doesn't generate a key. So I tried the shared secret as a key. And I got it to work!

Lti settibngs 3

Am i just causing a mess? Am I missing something?

 

Another important information: Pierre was able to connect under my name and published in a forum under my name. No account was generated for him in my provider Moodle. So I cannot see his ID.

 

François

 

 
Average of ratings: -
Picture of Charles Severance
Re: New contrib: LTI Provider
Group Developers

Setting the key and secret to the same thing works because the provider ignores the key.  What I have done (with my patched version above) when I put the same Moodle class into two Learning management systems is to use a *different* key for each one - you can also add a new LTI endpoint so you don't even share the secret between them.  Then the modified code adds the key to the user_id to make a gunique account name - and so we avoid logins where folks seem to stumble into the wrong identity.

My code in the pull request to Juan has a compatibility mode so it keeps working with existing accounts that already have been created.

 
Average of ratings: -