Support LTI 1.3 in a mobile app

Support LTI 1.3 in a mobile app

by Raoul Johnson -
Number of replies: 4

Hello everyone,

I recently discovered LTI and found it a bit challenging to get started, especially regarding the Launch Flow.

Here is my use case. I am developing a mobile app, where the user can play certain games and unlock educational content. So, the user launches the app, from his phone, logs in using his moodle credentials and plays the game.

My understanding of Moodle (or LMS platforms in general) is that the preferred way is to create an External Tool and communicate using LTI 1.3. So, as I imagine, the app would have a "Login with Moodle" button that starts the oAUTH dance to authenticate the user and the app receives the JWT. Then, the app would be able to retrieve user information, updates grades, etc. However, since the app still needs a custom backend (e.g. for analytics, and other game related data). The JWT token would be sent to the server with each request, who will then perform LTI specific API calls.

When researching about LTI, it seems that the most common use case is that the user launches the external tool from the LMS itself (LTI Launch Flow?). Here, however, I need that the flow gets initiated from a third-party, since it is a mobile app, which would be via oAUTH 2 or OpenID.

Do I understand the specification correctly or is the "launch from third-party directly" something that is not supported when using LTI?

Ralph


Average of ratings: -
In reply to Raoul Johnson

Re: Support LTI 1.3 in a mobile app

by Jake Dallimore -
Picture of Core developers Picture of Moodle HQ Picture of Peer reviewers Picture of Plugin developers Picture of Testers
Hi Ralph,

That is indeed the most common use case; the user begins in an education platform, like Moodle, and launches into an external tool (or views embedded content - but the same launch process applies here). That process is already a third party initiated login in the OpenId sense, since the tool depends on the identity provided by the platform. Here, the platform (the OP) is the third party where login is initiated, and it redirects to the the tool's (the RP) login initiation endpoint to kick off the process. You can read more about this in the 1EdTech security framework spec spec at https://imsglobal.org/spec/security/v1p1#openid_connect_launch_flow. i know that's not exactly what you're talking about when you say "third party" of course, but it does lay out the launch process and technology quite nicely in that documentation (in case you hadn't seen that yet).

I've not seen a mobile app which depends on a platform / LMS quite like you're describing, but it stands to reason that it's possible. It sounds like you only want people to launch the app via, well, the app itself. You'd perhaps use the same launch process, albeit without the first step, (the one where the platform calls the RP's login initiation endpoint). This is no longer third party now, at least in the OIDC sense. Instead - and I speculate here as I've not encountered this in the wild - you'd just make the authentication request directly to the Platform/OP from your app (like you say, via something like "Login with Moodle" or the like). Tapping this this would basically do the OIDC auth using the registered  auth endpoint for the platform (of course the user would need to be auth'd with Moodle in this case) and once the id_token is returned from Moodle to the registered redirect URI, you're then good to go. You're going to have to link your tool to the LMS via a series of web endpoints per OAuth2/OIDC specs anyway (as would any other tool) so of course all these endpoints will be known ahead of time.

It's certainly an interesting case. I know LTI 1.3 documentation has always said it's mobile ready (e.g. https://imsglobal.org/why-platforms-and-tools-should-adopt-lti-13), but this is the first time I'm seeing something like this personally. Of course there may be many others out there...

Anyway, hope some of that helps. Let us know if you find any other information on the topic. I'll be interested to see how this progresses.

Cheers,
Jake
Average of ratings: Useful (1)
In reply to Jake Dallimore

Re: Support LTI 1.3 in a mobile app

by Jake Dallimore -
Picture of Core developers Picture of Moodle HQ Picture of Peer reviewers Picture of Plugin developers Picture of Testers
Out of curiosity, I raised the native mobile problem with a colleague who is a member of the LTI working group and who works on standards, etc. and he raised a very good point: Without a normal resource link launch (from the LMS), we don't have the context information we need (i.e. the location of the course, grades, etc). Essentially, we need that so we can talk to the platform/LMS via the services. So, while he was keen to see something like this supported, his opinion was that it still needs work.
Average of ratings: Useful (1)
In reply to Jake Dallimore

Re: Support LTI 1.3 in a mobile app

by Raoul Johnson -
Hi Jake,

Thanks a lot for your answer. It makes all sense.
I think for the moment, the easiest solution will be to interface with the Moodle REST API directly, similarly to what the Moodle mobile app is doing.
Average of ratings: -
In reply to Raoul Johnson

Re: Support LTI 1.3 in a mobile app

by Jake Dallimore -
Picture of Core developers Picture of Moodle HQ Picture of Peer reviewers Picture of Plugin developers Picture of Testers

Yes, I think that's the most pragmatic approach for now. Hopefully, someday soon, we'll see something formal from 1EdTech around this use case.

Average of ratings: -