<img src="assets/bootcamp.png">

# **LTI&trade; Advantage** bootcamp notebook for Tool

claude.vervoort@gmail.com

*This bootcamp is still under development!*

## Introduction

The notebook shows how to interact with the LTI Advantage ecosystem from a tool implementer viewpoint. It interacts with an actual test server which has been built as a platform simulator to support this notebook. 

<img src="assets/ltibootcamp_arch.png" width="60%">

## Limitation

The test tool platform cannot launch into the bootcamp. As a workaround, the test tool has APIs to get the launch data that would have been included in an actual launch.


In [1]:
# This notebook queries an actual tool platform test server. It needs its location:
platform_url='http://localhost:5000'

## Setup

### Import the python libraries needed by the tool

Here we just import the libraries that will be needed in this notebook, define some utility functions and constants.

In [2]:
import requests
import json
import jwt
import base64
import re
from time import time, sleep
from datetime import datetime
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
from IPython.display import display, Markdown, HTML, Javascript

def decode_int(b64value):
    return int.from_bytes(base64.urlsafe_b64decode(b64value), byteorder='big')

# for concise code, return full claim prefixed by ims
def fc(claim):
    return "http://imsglobal.org/lti/{0}".format(claim)

def md(mdt):
    display(Markdown(mdt))
    
md_buffer = ''

def mdb(mdt=None):
    global md_buffer
    if mdt:
        md_buffer = md_buffer + '\n' + mdt
    else:
        md(md_buffer)
        md_buffer = ''


## Deploying tool and establishing keys

### get the tool deployment info to use in this notebook

First we need to get a new tool deployment from the server for this notebook instance to use.
Each tool must have a `client_id` and a private key that will be used to interact with the platform services and send messages back to the platform. The `client_id` is used to for security purposes. A trust may be shared across multiple deployments of the same tool in a platform, so a `deployment_id` is also communicated to identify the actual deployment of that tool.

It also needs the keyset URL that exposes the platform public keys needed to validate the incoming messages.

While this information is required for each tool, how it is obtained by the tool is NOT currently part of the LTI specifications.

<img src="assets/advantage-keys.png" width="70%">

In [3]:
r = requests.get(platform_url + '/newtool')
tool_info = json.loads(r.text)

md('### Tool information')
md('Here is the tool information generated for this notebook. It is stored in ```tool_info``` variable.')
md('```json\n'+ json.dumps(tool_info, indent=4)+'```')

### Tool information

Here is the tool information generated for this notebook. It is stored in ```tool_info``` variable.

```json
{
    "webkey": {
        "e": "AQAB",
        "d": "GeuCHPRrWKGwJxx2funXY3myn74eClrszz06sShWoqm91QSjfLCmKY8D4pSpZalnFoSXtrDnjeeDTebmUGns83KLXIeleisq46pbMIhRDXWV8_UuBc2EZfQUUKFv-XnZFoJZOywqMBDHQxgi1yzHtb74fwQCXLBEFHv3TPazRQn8ECheRTJDTHVqL0yMJzjHrjJ8AqTRnPWT_OxVD6DHj2ss-Ld2FGb7eyzyOYVB-ze48F5sx9NhzeveT-DZBScrYZxg-Aszl_LTRpkz1KP29PX0ESuukGLnRfZRElw-dOQCf9k9tqJkIdJ4yIlIpCISbJreVIdz9euPMfNf2J0YqQ==",
        "kty": "RSA",
        "use": "sig",
        "alg": "RS256",
        "n": "540Oa03M96_6Thl6LCvxkH7QCw2BbyGeWfqJV_aSMYwCFdfn1D8D_niGrnFbN_lBqUqs1BRsGUQ3_ISBMWlIaW-Lau2Mpb1nje-lg0jj7X4vztZX2RxVTOHQ9_TsqAOmFmaH0BpJ5g3h3RD7o-X20s7ra4nbpWYoCJX43ImrdRBGGSGA96wUtOct9aZkuut4t8-U_-_NbnLErG6FzJcBYcUu1zs9L6d3cbd4vvr7u44PDAWeB4gSPLJXptgop1LvOUTSRxHDllag8oc6iyzHKMynFvZmDIvgVUU6otsuzobunSNmoe4SnQzXQKRzsEaUi9Hs8X9dVp3G3jnsWxE5_Q=="
    },
    "keyset_url": "http://localhost:5000/.well-known/jwks.json",
    "client_id": "1",
    "accesstoken_endpoint": "http://localhost:5000/auth/token",
    "webkeyPem": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA540Oa03M96/6Thl6LCvxkH7QCw2BbyGeWfqJV/aSMYwCFdfn\n1D8D/niGrnFbN/lBqUqs1BRsGUQ3/ISBMWlIaW+Lau2Mpb1nje+lg0jj7X4vztZX\n2RxVTOHQ9/TsqAOmFmaH0BpJ5g3h3RD7o+X20s7ra4nbpWYoCJX43ImrdRBGGSGA\n96wUtOct9aZkuut4t8+U/+/NbnLErG6FzJcBYcUu1zs9L6d3cbd4vvr7u44PDAWe\nB4gSPLJXptgop1LvOUTSRxHDllag8oc6iyzHKMynFvZmDIvgVUU6otsuzobunSNm\noe4SnQzXQKRzsEaUi9Hs8X9dVp3G3jnsWxE5/QIDAQABAoIBABnrghz0a1ihsCcc\ndn7p12N5sp++Hgpa7M89OrEoVqKpvdUEo3ywpimPA+KUqWWpZxaEl7aw543ng03m\n5lBp7PNyi1yHpXorKuOqWzCIUQ11lfP1LgXNhGX0FFChb/l52RaCWTssKjAQx0MY\nItcsx7W++H8EAlywRBR790z2s0UJ/BAoXkUyQ0x1ai9MjCc4x64yfAKk0Zz1k/zs\nVQ+gx49rLPi3dhRm+3ss8jmFQfs3uPBebMfTYc3r3k/g2QUnK2GcYPgLM5fy00aZ\nM9Sj9vT19BErrpBi50X2URJcPnTkAn/ZPbaiZCHSeMiJSKQiEmya3lSHc/XrjzHz\nX9idGKkCgYEA8aRqlSAsHQt3KJnBsGhM4RC9ZXwEYNC84ESEnA+RS+N4lz1XppR2\nkNGX2nWGq1VGttoji082DEm3ve9XR7fwAtckmAr9S3u3eERk8hf8RNPpUJIYHO1B\nocZ6Z6T/hq6h3C9WsKGsnEiBmbTrVmOiseIyUHO0LjOLeDJzpKeVSFUCgYEA9U8k\nvS9E1nFPVij7XJzp6shUQtw4HXAWSsVejz9sLBPr77BqjXom3SVbIHkxDbCAnpn6\n8r0Pe3T3XVA1QWubVI2dGx6dHTAg89n9PoTe/ZEPKlZcm1m0q1A7Enov+E8gbIHS\nNGwGoxWq9xeSccHl6fMTj8aRBdxCfB8k93OF8wkCgYANrd8SvhWBN2rxc3LRh7YC\nb64pFpIw4OAwWfCf3Qm+oAvtk91oYrMrk5HjHhAXluY/561nb36Bx5KNQAVS3AjM\nQF2j9ctNAJ3sQwLr6YuwYcatdvfCe3PhspivUVndx/kFu/BOY3igCEK97s37v/wv\n0bxDbalfjC9zCHgfdBUxWQKBgQDSq7x2iNDKhZdH/HwaxluRmafbn7rFdUx/vE8A\nIMyqchVuzIhFpkEYLQu8sLfy9MEQ9FZy/vD76rDBv69s1pgYnmHtN3Zg6cNzCKQX\nfA7xnxFyH6b6d6jUc1u3+52U14eWCEvZX2i3yFUCTYkkDwx/xZToJfTIHqguZqTd\nqqW/2QKBgAwBJG/sv6t5ZLn/QsCdEEJZywgncceaVKinRuFy7MoKvJi0yJST85Gs\n565ToRybsQwSuwzN6BY8/82iST1IucaDEAduBm+MXPRR8E1yb7DsiCKAZCx/YCay\nYz6lDnI5Uiaep6P80/9zWk5Wa0n2vzdVJ6RaOSu3sP7a3BhS2vr6\n-----END RSA PRIVATE KEY-----"
}```

### Getting the public keys from the platform

In order to validate the various messages we will receive from the platform, we need to get the key sets. We'll also transform the keys to the `PEM` format that is used by the `jwt` module to decode the messages.

The test platform exposes its keys in a keyset format at a well-know location (.well-known/jwks.json). Other platform might just communicate the keyset url as part of the tool deployment information.

In [4]:
keyset = json.loads(requests.get(tool_info['keyset_url']).text)

md('#### Platform keyset')
md('```json\n'+ json.dumps(keyset, indent=4)+'```')

platform_keys = {}

# let's transform as a map for ease of use, and just the PEM because this is what is used by JWT lib
for key in keyset['keys']:
    public_key = RSAPublicNumbers(decode_int(key['e']), decode_int(key['n'])).public_key(default_backend())
    pem = public_key.public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo)
    platform_keys[key['kid']] = pem
    


#### Platform keyset

```json
{
    "keys": [
        {
            "e": "AQAB",
            "kid": "1520718397_0",
            "kty": "rsa",
            "use": "sig",
            "alg": "RS256",
            "n": "rh9FhlP4vntXp4AJr2N3FZWqO8fy1vpIh7oGbbnNpJiq-UEsSUffk50uAd2UVYzJiS5S1PrClQB0nD3BJ91JDVDu-Og0C5rrYnHpNtbAtfxzEghdRCVFCCdwfZiabjR6EbH2vG0FknmNZvKVAtQ1J_BpCB8g1VDqTwD1gfpNsFNdZCQFccNMO9TMtR5sGEUcynEyeCpSp3S7rIZQpWXkKcztzNZ5tsAC4oZwA56VpSYMdtTD2dRkYuuMMynuE6GgxOFL_gQpC6Ib4xl6wCRJbxETCztNdRAfkVbmzliXl9vvsTKqxXtSVROp0wtlRR9H0LY9S76SpT1DjKNxxbUqBw=="
        },
        {
            "e": "AQAB",
            "kid": "1520718397_1",
            "kty": "rsa",
            "use": "sig",
            "alg": "RS256",
            "n": "tc8Qd5H0dv3AWVxZUt1XN5TvWBv-8Qu62R-eY2cahivvx-W6ElQxZPdbFGGNkKlax-dK3rRX_MM81li1JTtMANoGKavbZ_fwPsHxVCBVQ47D1IKompug6ZjPJ3GRTr-Oe2Vwk5n96nWVT6I6mCUSvS57M_Q7HF9l72PzMP5bdqeGDLW-HC9gZVkxn6MG6UHlQxfOY5d0VOYaJnpymoR0z3ZA66D-ophKuG-EPfpgjYL6e7wpLVgGtlPGzTe081XDmxNoDcWay143E7YKzRE_fCqd6EHnd6ncpfkWNi2WTKNoVeGExksLfdMP7s80brxyjZcAnDpE_PlGeVE9ntLLvw=="
        },
        {
            "e": "AQAB",
            "kid": "1520718397_2",
            "kty": "rsa",
            "use": "sig",
            "alg": "RS256",
            "n": "7fNCmzN27YTCQTpPPesrduiIu4cHlypELfQuoW81S7VIsbd1cbrh00uCNQ68eg1OwEzgZ2QYhuKxmTLYT_rPC5eab5sdo-fRKbPw4HffDXDId6CNn2Y3yyKWv4gcuPhPmqmuuE1snFXDwp_fMTfcDE14Nbq2wBAN7rCyriGvbHCVXLVUjfxBTbGytJQid_BNZqRJAYP9f7ZUQWCZxfGLjOaToeXwT_dmPPrmdjLhPGqvLq9zPcwJPBe8bh9vWtbtHvvjl9vsVTjj8ZKZsC_AHNYHNsbfdW45hA-7kgUiwNG2htLG1VZDxbRm7gCayJOjY5bwFGfyULdJ-tr3gaYWXw=="
        },
        {
            "e": "AQAB",
            "kid": "1520718397_3",
            "kty": "rsa",
            "use": "sig",
            "alg": "RS256",
            "n": "lgV6OShqlUeoD02KKpCdxZW7G2w1oBpWSC8x_nls1jtF02Ih_LmFATW1TFGmD_gg3wPPiPuD4xZqj5RBPFoajmz1F9Z4ftJdVguRhvIFxZp4PCYM6kwPsxCR40l1foADXCuCEGkDDnkwzrMOxBdxC3Ohgjib3Y8M5xAhp7m2nk1cEz5t0jTHWxu47qgThZrXxJn5YDeBnGF4Dm5xfHYl0JKXCQ-e5kyO7v91HRFH4MxYqDE5L7UBNNiSTIrM1RFBE9c00DleWMdA0ye6BGHOQbYbU-kSZWI2HIdd02Gl2ILE69d0bTvahgaGek1DBokrkAj5dgpWr1QZbPkDrRvlow=="
        }
    ]
}```

## Deep Linking - Creating a Link
This section will use the deep linking specification to create a Resource Link to the platform. That resource link will be gradable and used in the following sections of that notebook.

[Deep Linking](https://www.imsglobal.org/specs/lticiv1p0) is a **UI flow**, it is an important piece that is sometimes missed on 1st reading. The user is redirected from the platform to the tool to pick or create one or multiple piece of content (often, LTI links), and the the tool redirects the UI back to the tool with the actual selection (or an empty payload if nothing was picked or created).

So there are 2 messages:

1. `LtiDeepLinkingRequest` from the platform to the tool to start the picking/create session. This is a typical platform launch that contains the context and the user information, and what kind of content items may be created in this flow (for example, this flow might indicate it only wants LTI links).
1. `LtiDeepLinkingResponse` from the tool back to the plaform using the `content_item_return_url` provided in the request.

Once a tool is added to a course, usually the first launch from the platform will be a Deep Linking request.

<img src="assets/advantage-deeplinking.png" width="60%">

### Setup: Getting a Deep Linking Request

This notebook is not a tool actually launched by the platform, so the test platform as way to give us the token that it would include in an actual HTTP POST request, so we can build a mock POST request including the parameter `post_data`.

In [5]:
r = requests.get("{}/tool/{}/cisr".format(platform_url, tool_info['client_id']))

post_data = {
    'id_token':r.text
}

md('`id_token='+ r.text+'`')

`id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjE1MjA3MTgzOTdfMCIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MjA3MTkzMjksImh0dHA6Ly9pbXNnbG9iYWwub3JnL2x0aS9kZXBsb3ltZW50X2lkIjoiZGVwbG95bWVudF8xIiwiaHR0cDovL2ltc2dsb2JhbC5vcmcvbHRpL2RlZXBfbGlua2luZ19yZXF1ZXN0Ijp7ImFjY2VwdF9wcmVzZW50YXRpb25fZG9jdW1lbnRfdGFyZ2V0cyI6WyJpZnJhbWUiLCJ3aW5kb3ciXSwiYWNjZXB0X211bHRpcGxlIjp0cnVlLCJhY2NlcHRfbWVkaWFfdHlwZXMiOlsiYXBwbGljYXRpb24vdm5kLmltcy5sdGkudjEubHRpbGluayJdLCJkYXRhIjoib3A9MzIxJnY9NDQiLCJhdXRvX2NyZWF0ZSI6dHJ1ZX0sImh0dHA6Ly9pbXNnbG9iYWwub3JnL2x0aS9tZXNzYWdlX3R5cGUiOiJMVElEZWVwTGlua2luZ1JlcXVlc3QiLCJodHRwOi8vaW1zZ2xvYmFsLm9yZy9sdGkvdG9vbF9wbGF0Zm9ybSI6eyJndWlkIjoibHRpYmNfYXRfMTUyMDcxODQ0MyIsIm5hbWUiOiJMVEkgQm9vdGNhbXAgUGxhdGZvcm0ifSwiYXVkIjoiMSIsImh0dHA6Ly9pbXNnbG9iYWwub3JnL2x0aS92ZXJzaW9uIjoiMS4zLjAiLCJodHRwOi8vaW1zZ2xvYmFsLm9yZy9sdGkvbGF1bmNoX3ByZXNlbnRhdGlvbiI6eyJyZXR1cm5fdXJsIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwL3Rvb2wvYWRhY2VjMzgtMjRhZS0xMWU4LThhNDgtYzQ4ZThmZmI3ODU3L2NpciIsImRvY3VtZW50X3RhcmdldCI6ImlmcmFtZSJ9LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjUwMDAiLCJzdWIiOiJMVElCQ1VfMyIsIm5vbmNlIjoiYWRhY2VjMzktMjRhZS0xMWU4LThhNDgtYzQ4ZThmZmI3ODU3IiwiZmFtaWx5X25hbWUiOiJDb25jaFx1MDBmYXIiLCJleHAiOjE1MjA3MTkzODksImVtYWlsIjoiQ2hyaXN0YWwuQ29uY2hcdTAwZmFyQGV4YW1wbGUuY29tIiwiaHR0cDovL2ltc2dsb2JhbC5vcmcvbHRpL2NvbnRleHQiOnsidGl0bGUiOiJMVEkgQm9vdGNhbXAgQ291cnNlIiwidHlwZSI6WyJDb3Vyc2VTZWN0aW9uIl0sImxhYmVsIjoiTFRJIEJvb3RjYW1wIENvdXJzZSIsImlkIjoiYWRhY2VjMzgtMjRhZS0xMWU4LThhNDgtYzQ4ZThmZmI3ODU3In0sImh0dHA6Ly9pbXNnbG9iYWwub3JnL2x0aS9yb2xlcyI6WyJodHRwOi8vcHVybC5pbXNnbG9iYWwub3JnL3ZvY2FiL2xpcy92Mi9tZW1iZXJzaGlwI0luc3RydWN0b3IiXSwibmFtZSI6IkNocmlzdGFsIENvbmNoXHUwMGZhciIsImh0dHA6Ly9pbXNnbG9iYWwub3JnL2x0aS9hZ3MiOnsibGluZWl0ZW1zIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwL2FkYWNlYzM4LTI0YWUtMTFlOC04YTQ4LWM0OGU4ZmZiNzg1Ny9saW5laXRlbXMiLCJzY29wZSI6WyJodHRwczovL2ltc2dsb2JhbC5vcmcvbHRpL2Fncy9saW5laXRlbSIsImh0dHBzOi8vaW1zZ2xvYmFsLm9yZy9sdGkvYWdzL3Jlc3VsdC5yZWFkb25seSIsImh0dHBzOi8vaW1zZ2xvYmFsLm9yZy9sdGkvYWdzL3Njb3JlIl19LCJnaXZlbl9uYW1lIjoiQ2hyaXN0YWwifQ.eXnGRKbKH4_zAa5oh1S_ByPORMzImNZPvBl0TWlzq19r0EuPuYEQDBD-9UTfwZFgRSK8WcNlmAitw42cSEoGK3GWsVEQgwbiyHmVD6KwZJ8c2qPmOpKZImNUuFwSpFdkZMeLL6ZJgp_Umu3fzyU8ywNB23MVYodyG7uy3c5lQOWRPxA-g_xeb_BEsGOnW8VCJvXoON2W34848ajR_vTBI6AylUIr7iH_VaWOv04qOBrSyDD3SvQBq6BiAiLtw3EZQAD23NPFbWgl-b0wzAGZX--fVh9JHbtI0AvE16KluVFB8dFxXhrSDNI7NJoS2dp8tuq2Z82WqdB5hLXnIc1dnQ`

### Task 1: Verify the JWT is properly signed

The first thing before to display to the user the picker/authoring interface to create the link is to validate this request is properly signed. This is done by decoding the JWT using public key from the platform.


In [6]:
# Let's get the kid so we can get the proper public key

# should check ISS first to lookup keyset

encoded_jwt = post_data['id_token']
jwt_headers = jwt.get_unverified_header(encoded_jwt)

content_item_message = jwt.decode(encoded_jwt, 
                                  platform_keys[jwt_headers['kid']], 
                                  jwt_headers['alg'],
                                  audience = tool_info['client_id'])

md('#### Message properly signed! Decoded ContentItemSelectionRequest message:')
md('```json\n'+ json.dumps(content_item_message, indent=4)+'```')


#### Message properly signed! Decoded ContentItemSelectionRequest message:

```json
{
    "http://imsglobal.org/lti/tool_platform": {
        "guid": "ltibc_at_1520718443",
        "name": "LTI Bootcamp Platform"
    },
    "given_name": "Christal",
    "http://imsglobal.org/lti/roles": [
        "http://purl.imsglobal.org/vocab/lis/v2/membership#Instructor"
    ],
    "family_name": "Conch\u00far",
    "iat": 1520719329,
    "name": "Christal Conch\u00far",
    "sub": "LTIBCU_3",
    "exp": 1520719389,
    "http://imsglobal.org/lti/context": {
        "title": "LTI Bootcamp Course",
        "label": "LTI Bootcamp Course",
        "type": [
            "CourseSection"
        ],
        "id": "adacec38-24ae-11e8-8a48-c48e8ffb7857"
    },
    "aud": "1",
    "email": "Christal.Conch\u00far@example.com",
    "http://imsglobal.org/lti/deployment_id": "deployment_1",
    "http://imsglobal.org/lti/message_type": "LTIDeepLinkingRequest",
    "iss": "http://localhost:5000",
    "nonce": "adacec39-24ae-11e8-8a48-c48e8ffb7857",
    "http://imsglobal.org/lti/ags": {
        "lineitems": "http://localhost:5000/adacec38-24ae-11e8-8a48-c48e8ffb7857/lineitems",
        "scope": [
            "https://imsglobal.org/lti/ags/lineitem",
            "https://imsglobal.org/lti/ags/result.readonly",
            "https://imsglobal.org/lti/ags/score"
        ]
    },
    "http://imsglobal.org/lti/deep_linking_request": {
        "accept_media_types": [
            "application/vnd.ims.lti.v1.ltilink"
        ],
        "accept_multiple": true,
        "accept_presentation_document_targets": [
            "iframe",
            "window"
        ],
        "data": "op=321&v=44",
        "auto_create": true
    },
    "http://imsglobal.org/lti/version": "1.3.0",
    "http://imsglobal.org/lti/launch_presentation": {
        "document_target": "iframe",
        "return_url": "http://localhost:5000/tool/adacec38-24ae-11e8-8a48-c48e8ffb7857/cir"
    }
}```

### Task 2: extract the information needed to render the selector/authoring UI

If this is the first launch for the user or the course, as a tool you may prompt the user for setup information, including account linking or course setup. Ultimately the user will see the authoring or picking interface that will allow her to create or select the content items to be added to the course.

Some key attributes of the `ContentItemSelectionRequest` will drive the experience:

In [7]:
# fc(claim) prefix the claim with http://imsglobal.org/lti/
mdb('1. What is the current course id? {0}'.format(content_item_message[fc('context')]['id']))
mdb('1. What is the current user id? {0}'.format(content_item_message['sub']))
is_instructor = len(list(filter(lambda x: 'instructor' in x.lower(), content_item_message[fc('roles')])))>0
mdb('1. Is this user an instructor? {0}'.format(is_instructor))
deep_linking_claim = content_item_message[fc('deep_linking_request')]
mdb('1. What kind of content item can be created? {0}'.format(deep_linking_claim['accept_media_types']))
mdb('1. Can I return more than one items to be added? {0}'.format(deep_linking_claim['accept_multiple']))
mdb('1. Will the user be prompted before to actually save the items? {0}'.format(not deep_linking_claim['auto_create']))
deep_linking_return_url = content_item_message[fc('launch_presentation')]['return_url']
mdb('1. Where should I redirect the browser too when done? {0}'.format(deep_linking_return_url))
mdb('1. Is there any data I must pass back to platform when I return? {0}'.format('data' in deep_linking_claim))
mdb()


1. What is the current course id? adacec38-24ae-11e8-8a48-c48e8ffb7857
1. What is the current user id? LTIBCU_3
1. Is this user an instructor? True
1. What kind of content item can be created? ['application/vnd.ims.lti.v1.ltilink']
1. Can I return more than one items to be added? True
1. Will the user be prompted before to actually save the items? False
1. Where should I redirect the browser too when done? http://localhost:5000/tool/adacec38-24ae-11e8-8a48-c48e8ffb7857/cir
1. Is there any data I must pass back to platform when I return? True

### Task 3: building the response token

After the end of the interaction, so user is sent back to the platform throught a browser redirection using an HTTP POST containing the JWT `ContentItemResponse` message. In this case, we will return 2 LTI links, one being graded (since the request supports multiple content items).

Here we're creating the actual response token.

In [8]:
## First let's create our 2 content items
## Note that the URLs are phony as for now there is now way to launch in the notebook anyway...
simple_link =  {
      "mediaType": "application/vnd.ims.lti.v1.ltilink",
      "url": "http://lti.bootcamp/item111",
      "presentationDocumentTarget": "iframe",
      "title": "A simple content item",
      "text": "Some long text",
      "icon": {
        "url": "http://lti.example.com/image.jpg",
        "width": 100,
        "height": 100
      },
      "custom": {
        "lab": "sim4e"
      }
}

assignment_link =  {
      "mediaType": "application/vnd.ims.lti.v1.ltilink",
      "url": "http://lti.bootcamp/item111",
      "presentationDocumentTarget": "iframe",
      "title": "An assignment",
      "text": "Chemical lab sim",
      "icon": {
        "url": "http://lti.example.com/image.jpg",
        "width": 100,
        "height": 100
      },
      "custom": {
        "lab": "sim3a",
        "level": "easy"
      },
      "lineItem": {
        "scoreMaximum": 34,
        "label": "Chemical lab sim",
        "resourceId": "sim3a",
        "tag": "final_grade"
      }
}

now = int(time())

deep_linking_response = {
    "iss": tool_info['client_id'],
    "aud": content_item_message['iss'],
    "exp": now + 60,
    "iat": now,
    "http://imsglobal.org/lti/message_type": "DeepLinkingResponse",
    "http://imsglobal.org/lti/version": "1.3.0",
    "http://imsglobal.org/lti/content_items": [
        simple_link, assignment_link
    ]
    
}

### Task 4: build the signed JWT

In [9]:
deep_linking_response_token = jwt.encode(deep_linking_response, tool_info['webkeyPem'], 'RS256').decode()

print(deep_linking_response_token)

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE1MjA3MTkzMjksImV4cCI6MTUyMDcxOTM4OSwiaHR0cDovL2ltc2dsb2JhbC5vcmcvbHRpL21lc3NhZ2VfdHlwZSI6IkRlZXBMaW5raW5nUmVzcG9uc2UiLCJpc3MiOiIxIiwiaHR0cDovL2ltc2dsb2JhbC5vcmcvbHRpL2NvbnRlbnRfaXRlbXMiOlt7Imljb24iOnsiaGVpZ2h0IjoxMDAsIndpZHRoIjoxMDAsInVybCI6Imh0dHA6Ly9sdGkuZXhhbXBsZS5jb20vaW1hZ2UuanBnIn0sImN1c3RvbSI6eyJsYWIiOiJzaW00ZSJ9LCJ0aXRsZSI6IkEgc2ltcGxlIGNvbnRlbnQgaXRlbSIsIm1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5pbXMubHRpLnYxLmx0aWxpbmsiLCJwcmVzZW50YXRpb25Eb2N1bWVudFRhcmdldCI6ImlmcmFtZSIsInVybCI6Imh0dHA6Ly9sdGkuYm9vdGNhbXAvaXRlbTExMSIsInRleHQiOiJTb21lIGxvbmcgdGV4dCJ9LHsiaWNvbiI6eyJoZWlnaHQiOjEwMCwid2lkdGgiOjEwMCwidXJsIjoiaHR0cDovL2x0aS5leGFtcGxlLmNvbS9pbWFnZS5qcGcifSwibGluZUl0ZW0iOnsibGFiZWwiOiJDaGVtaWNhbCBsYWIgc2ltIiwidGFnIjoiZmluYWxfZ3JhZGUiLCJyZXNvdXJjZUlkIjoic2ltM2EiLCJzY29yZU1heGltdW0iOjM0fSwiY3VzdG9tIjp7ImxhYiI6InNpbTNhIiwibGV2ZWwiOiJlYXN5In0sInRpdGxlIjoiQW4gYXNzaWdubWVudCIsIm1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5pbXMubHRpLnYxLmx0aWxpbmsiLCJwcmV

### Task 5: redirect the user back to the platform with the content item selection

Now that we the response token, let's do the actual HTML POST redirection to the platform. Note that because the platform supports `autocreate` there will be no prompt. The 2 items will be added directly to the course.


In [10]:
# Let's start by adding the JWS security claims
content_item_response = {
    'iss': tool_info['client_id'] ,
    'aud': content_item_message['iss']
}

autosubmit_js = """
                var ltiForm = $('<form>');                
                ltiForm.attr('action', '{url}');
                ltiForm.attr('method', 'POST');
                ltiForm.attr('target', 'deeplinking_frame');
                $('<input>').attr({{
                    type: 'hidden',
                    name: 'jws_token',
                    value: '{token}'
                }}).appendTo(ltiForm);
                $('#deeplinking_frame').before(ltiForm);
                ltiForm.submit();
                ltiForm.remove();
                """

autosubmit_js = autosubmit_js.format(url=deep_linking_return_url, token=deep_linking_response_token)

display(HTML('<iframe id="deeplinking_frame" name="deeplinking_frame" style="height: 300px; width:100%"></iframe>'))
display(Javascript(data=autosubmit_js, 
                   lib="https://code.jquery.com/jquery-3.3.1.min.js"))

<IPython.core.display.Javascript object>

## Student Resource Link launch

Now that we have created resource links, let's handle a student launch from one of them. We're going to use a resource link with a **coupled** line item, so that we can use it to send a score back to the platform.

### Setup

The first thing we need, as with deep linking, is to get from the test platform the launch token which an actual tool would get in an actual HTML Form Post.

In [13]:
# in automated run, force a sleep for the response above to have been processed
sleep(3)

# select an id from the ones displayed in the course platform in the IFrame above
# if not specified the platform will pick a resource to use

resource_link_id = ''
context_id = content_item_message['http://imsglobal.org/lti/context']['id']

r = requests.get("{}/tool/{}/context/{}/studentlaunch?rlid={}".format(platform_url, 
                                                           tool_info['client_id'], 
                                                           context_id, 
                                                           resource_link_id))

post_data = {
    'id_token':r.text
}

md('`id_token='+ r.text+'`')

`id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjE1MjA3MTgzOTdfMSIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MjA3MTkzNTMsImh0dHA6Ly9pbXNnbG9iYWwub3JnL2x0aS9kZXBsb3ltZW50X2lkIjoiZGVwbG95bWVudF8xIiwiaHR0cDovL2ltc2dsb2JhbC5vcmcvbHRpL21lc3NhZ2VfdHlwZSI6IkxUSVJlc291cmNlTGlua0xhdW5jaCIsImh0dHA6Ly9pbXNnbG9iYWwub3JnL2x0aS90b29sX3BsYXRmb3JtIjp7Imd1aWQiOiJsdGliY19hdF8xNTIwNzE4NDQzIiwibmFtZSI6IkxUSSBCb290Y2FtcCBQbGF0Zm9ybSJ9LCJhdWQiOiIxIiwiaHR0cDovL2ltc2dsb2JhbC5vcmcvbHRpL2N1c3RvbSI6eyJsYWIiOiJzaW0zYSIsImxldmVsIjoiZWFzeSJ9LCJodHRwOi8vaW1zZ2xvYmFsLm9yZy9sdGkvdmVyc2lvbiI6IjEuMy4wIiwiaHR0cDovL2ltc2dsb2JhbC5vcmcvbHRpL2xhdW5jaF9wcmVzZW50YXRpb24iOnsicmV0dXJuX3VybCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMGh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC8iLCJkb2N1bWVudF90YXJnZXQiOiJpZnJhbWUifSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwic3ViIjoiTFRJQkNVXzEzIiwibm9uY2UiOiJiYzIzZDYyOC0yNGFlLTExZTgtOGE0OC1jNDhlOGZmYjc4NTciLCJmYW1pbHlfbmFtZSI6IlRocmFjZSIsImV4cCI6MTUyMDcxOTQxMywiZW1haWwiOiJLYXJhLlRocmFjZUBleGFtcGxlLmNvbSIsImh0dHA6Ly9pbXNnbG9iYWwub3JnL2x0aS9yZXNvdXJjZV9saW5rIjp7InRpdGxlIjoiQW4gYXNzaWdubWVudCIsImlkIjoiYWZmZDRlY2YtMjRhZS0xMWU4LThhNDgtYzQ4ZThmZmI3ODU3In0sImh0dHA6Ly9pbXNnbG9iYWwub3JnL2x0aS9jb250ZXh0Ijp7InRpdGxlIjoiTFRJIEJvb3RjYW1wIENvdXJzZSIsInR5cGUiOlsiQ291cnNlU2VjdGlvbiJdLCJsYWJlbCI6IkxUSSBCb290Y2FtcCBDb3Vyc2UiLCJpZCI6ImFkYWNlYzM4LTI0YWUtMTFlOC04YTQ4LWM0OGU4ZmZiNzg1NyJ9LCJodHRwOi8vaW1zZ2xvYmFsLm9yZy9sdGkvcm9sZXMiOlsiaHR0cDovL3B1cmwuaW1zZ2xvYmFsLm9yZy92b2NhYi9saXMvdjIvbWVtYmVyc2hpcCNMZWFybmVyIl0sIm5hbWUiOiJLYXJhIFRocmFjZSIsImh0dHA6Ly9pbXNnbG9iYWwub3JnL2x0aS9hZ3MiOnsibGluZWl0ZW0iOiJodHRwOi8vbG9jYWxob3N0OjUwMDAvYWRhY2VjMzgtMjRhZS0xMWU4LThhNDgtYzQ4ZThmZmI3ODU3L2xpbmVpdGVtcy8xL2xpbmVpdGVtIiwibGluZWl0ZW1zIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwL2FkYWNlYzM4LTI0YWUtMTFlOC04YTQ4LWM0OGU4ZmZiNzg1Ny9saW5laXRlbXMiLCJzY29wZSI6WyJodHRwczovL2ltc2dsb2JhbC5vcmcvbHRpL2Fncy9saW5laXRlbSIsImh0dHBzOi8vaW1zZ2xvYmFsLm9yZy9sdGkvYWdzL3Jlc3VsdC5yZWFkb25seSIsImh0dHBzOi8vaW1zZ2xvYmFsLm9yZy9sdGkvYWdzL3Njb3JlIl19LCJnaXZlbl9uYW1lIjoiS2FyYSJ9.eJSIBa1SCSauSAtqnTDSVQcrO1INgElP1Rh63PTZR0Q6CZo7kxQxewWBc6_Xs8EQdFhcg50NBmTtgEwOHbpPhDoZgc9WSfzFiIl6sYe2yU3sGMVSAEHtuTvuLwlV_XGVSBRnB4go8xO1m4ml1WyoCjwxTbz1An63R_d8N-Y8ROOqhwSw4XIhWuAkNg0J1oQPDBDnSmQQ6LG8DfoZUSM8HHNnW1CitJAUQwi5lRt_IlKCLIeL38htwIx9Wju24mk_OkPzGZ2Nye-Grty3NFNqSIvG8T24XCoTHGtslZvfh8bGqMECJPhGzloSRmUylkTU4TB2TwYo25c_tZpks_xkjA`

### Task 1: Decode the launch

Now, same as with the Deep Linking request, we decode the token:

In [12]:
encoded_jwt = post_data['id_token']
jwt_headers = jwt.get_unverified_header(encoded_jwt)

student_launch = jwt.decode(encoded_jwt, 
                            platform_keys[jwt_headers['kid']], 
                            jwt_headers['alg'],
                            audience = tool_info['client_id'])

md('```json\n'+ json.dumps(student_launch, indent=4)+'```')

DecodeError: Invalid header padding

### Task 2: extract information to show the correct activity

The launch gives information about the user, her role, the course, but also which actual resource we want to launch into.

In [None]:
# fc(claim) prefix the claim with http://imsglobal.org/lti/
mdb('1. Is this a resource link launch? {0}'.format(student_launch[fc('message_type')] == 'LTIResourceLinkLaunch'))
mdb('1. What is the id of the resource link that is launched? {0}'.format(student_launch[fc('resource_link')]['id']))
mdb('1. What is the name of the resource that is launched? {0}'.format(student_launch[fc('resource_link')]['title']))
mdb('1. What is the current course id? {0}'.format(student_launch[fc('context')]['id']))
mdb('1. What is the current user id? {0}'.format(student_launch['sub']))
is_learner = len(list(filter(lambda x: 'learner' in x.lower(), student_launch[fc('roles')])))>0
mdb('1. Is this user a student? {0}'.format(is_learner))
return_url = student_launch[fc('launch_presentation')]['return_url']
mdb('1. Where should I redirect the browser too when done? {0}'.format(return_url))
mdb('1. Which lab should be displayed? {0}'.format(student_launch[fc('custom')]['lab']))
ags_claim = student_launch[fc('ags')]
mdb('1. Is there a gradebook column for this resource? {0}'.format('lineitem' in ags_claim))
mdb()


## Assignment and Grade Services: Posting a grade to a coupled line item

Now that the student has launched into a grading activity, eventually she will complete it. Let's assume this is an autograded quiz. At the end of the interaction, we're going to send a score.

<img src="assets/assignment_grade_services.png" width="60%">

The line item (gradebook column) was created declaratively by the platform when the resource link was created (at the end of the deep linking flow). The line item and the resource link are **coupled**. Due to this explicit relationship, the platform passes us directly the associated line item URL, which we will use to send scores. 

### Task 1: Get an access token

To be able to send a grade, or call any service on that matter, we must first get an access token. This is done by using a JWT based client grant flow [RFC-7523](https://tools.ietf.org/html/rfc7523).

Here we will re-use the token for the rest of the notebook, so we don't specify scope. If you intend to use the token only for a given operation, it is a good practice to scope it accordingly.

The grant type is [client_credentials](https://tools.ietf.org/html/rfc6749#section-1.3.4) as the trust is established between the tool and the platform. The current user and context are not considered.


In [None]:
## Let's define auth functions we can re-use for other calls

def get_token(scope):
    token_endpoint = tool_info['accesstoken_endpoint']

    now = int(time())

    assertion = {
        "iss": tool_info['client_id'],
        "aud": token_endpoint,
        "exp": now + 60,
        "iat": now,
        "jti": "{0}-{1}".format(tool_info['client_id'], now)
    }

    assertion_jwt = jwt.encode(assertion, tool_info['webkeyPem'], 'RS256').decode()

    return json.loads(requests.post(token_endpoint, data = {
        'client_assertion': assertion_jwt,
        'grant_type': 'client_credentials',
        'scope': scope,
        'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
    }).text)

# We'll also need to create a proper header, so let's also create a function for that
def add_authorization(headers, access_token):
    b64token = base64.b64encode(access_token.encode('utf-8')).decode()
    headers.update({'Authorization': 'Bearer {0}'.format(b64token)})

    


In [None]:
token_info = get_token('https://imsglobal.org/lti/ags/score https://imsglobal.org/lti/ags/results.readonly')

md('#### Access token:')
md('```json\n'+ json.dumps(token_info, indent=4)+'```')

### Task 2: Publish a score

In [None]:
# Scores in the subpath scores from lineitem.
def append_to_path(path, subpath):
    p = re.compile('lineitem($|\?|#)')
    return p.sub('lineitem/{0}\\1'.format(subpath), path)

scores_url = append_to_path(ags_claim['lineitem'], 'scores')

score = {
    'userId': student_launch['sub'],
    'scoreGiven': 9,
    'scoreMaximum': 10,
    'activityProgress': 'Completed',
    'gradingProgress': 'FullyGraded',
    'timestamp': datetime.utcnow().isoformat()
}

headers = {'Content-Type': 'application/vnd.ims.lis.v1.score+json'}
add_authorization(headers, token_info['access_token'])

r = requests.post(scores_url.encode(), headers=headers, data=json.dumps(score))

# let's check it was OK
r.raise_for_status()

md('The score was processed successfully be the back-end')




### Task 3: get the results

Let's not get the results to see our operation did actually succeed

In [None]:
results_url = append_to_path(ags_claim['lineitem'], 'results')

headers = {'Content-Type': 'application/vnd.ims.lis.v2.resultcontainer+json'}
add_authorization(headers, token_info['access_token'])

r = requests.get(results_url.encode(), headers=headers)

# let's check it was OK
r.raise_for_status()

md('#### Current results for item')
md('```json\n'+ json.dumps(r.json(), indent=4)+'```')



### Task 4: marking a score as needing grading
Assignment and Grade services allow for more than just passing grade. Let's say we just want to mark a submission was done, and the instructor requires to manually grade the essay. In which case, we can post a Score indicating the status of the activity is completed, and the grading needs manual intervention using the `activityProgress` and `gradingProgress` attributes.

In [None]:
score = {
    'userId': student_launch['sub'],
    'activityProgress': 'Completed',
    'gradingProgress': 'PendingManual',
    'timestamp': datetime.utcnow().isoformat()
}

headers = {'Content-Type': 'application/vnd.ims.lis.v1.score+json'}
add_authorization(headers, token_info['access_token'])

r = requests.post(scores_url.encode(), headers=headers, data=json.dumps(score))

# let's check it was OK
r.raise_for_status()

md('The score was processed successfully be the back-end')


We can see it now in the platform gradebook:

In [None]:
platform_gradebook_url = '{0}/course/{1}/gradebook'.format(platform_url, student_launch[fc('context')]['id'])
display(HTML('<iframe src="{0}" style="height: 300px; width:100%"></iframe>'.format(platform_gradebook_url)))

## Assignment and Grade Services - Uncoupled

The assignment and grade services support an alternate way to create line items: rather than having the platform creates a line item when it creates a link, a tool may use the API to create standalone line items, i.e. uncoupled from any lti link (the API may optionaly include an ltiLinkId to tie the one or many line items to a single resource link, although platforms will often treat this association as weaker than a declarative flow).

Let's use the API to add a new line item, send some scores to it, then delete it.


### Task 1: get a properly scoped token

Same as before, we just need to now ask also for the scope to allow line item management.

In [None]:
token_info = get_token('https://imsglobal.org/lti/ags/score https://imsglobal.org/lti/ags/results.readonly https://imsglobal.org/lti/ags/lineitem')

md('#### Access token with all assignment and grade services scopes:')
md('```json\n'+ json.dumps(token_info, indent=4)+'```')

### Task 2: create a new line item and post score

The `lineitems` is the URL representating all the line items in the current context bound to our tool. We can do a GET to see all the existing items, and a POST to add a new one. Let's start by adding one:

In [None]:
# note the specific mediatype
headers = {'Content-Type': 'application/vnd.ims.lis.v2.lineitem+json'}
add_authorization(headers, token_info['access_token'])

lineitem = {
    "resourceId": "bootcamp",
    "tag": "participation",
    "label": "Participation in Bootcamp",
    "scoreMaximum": 25
}

r = requests.post(ags_claim['lineitems'], headers=headers, data=json.dumps(lineitem))

r.raise_for_status()

uncoupled_item = r.json();

md('#### Successfully added line item:')
md('```json\n'+ json.dumps(uncoupled_item, indent=4)+'```')



In [None]:
r = requests.get(ags_claim['lineitems'], headers=headers)

# let's check it was OK
r.raise_for_status()

md('#### Current line items for this tool in the context')
md('```json\n'+ json.dumps(r.json(), indent=4)+'```')

Sending the score to the uncoupled line item is the same as with the coupled one, the id being the line item URL.

In [None]:
scores_url = append_to_path(uncoupled_item['id'], 'scores')

score = {
    'userId': student_launch['sub'],
    'scoreGiven': 10,
    'scoreMaximum': 10,
    'activityProgress': 'Completed',
    'gradingProgress': 'FullyGraded',
    'timestamp': datetime.utcnow().isoformat()
}

headers = {'Content-Type': 'application/vnd.ims.lis.v1.score+json'}
add_authorization(headers, token_info['access_token'])

r = requests.post(scores_url.encode(), headers=headers, data=json.dumps(score))

# let's check it was OK
r.raise_for_status()

md('The score was processed successfully be the back-end')


### Task 3: Updating the line item

Update is done by PUTting the updated definition to the line item  URL (id).

In [None]:
# note the specific mediatype
headers = {'Content-Type': 'application/vnd.ims.lis.v2.lineitem+json'}
add_authorization(headers, token_info['access_token'])

lineitem = {
    "resourceId": "bootcamp",
    "tag": "participation",
    "label": "Participation (uncoupled)",
    "scoreMaximum": 30
}

r = requests.put(uncoupled_item['id'], headers=headers, data=json.dumps(lineitem))
                           
r.raise_for_status()

uncoupled_item = r.json();

md('#### Successfully updated line item:')
md('```json\n'+ json.dumps(uncoupled_item, indent=4)+'```')


You can also scroll back up where the platform UI is displayed and check in the gradebook to see the item is present (and scores have been rescaled).

### Task 4: Delete the uncoupled line item

Deleting is just issuing a DELETE command the line item URL.

In [None]:
# no content type, it's a delete
headers = {}
add_authorization(headers, token_info['access_token'])

r = requests.delete(uncoupled_item['id'], headers=headers)
                           
r.raise_for_status()

md('#### Successfully deleted line item')
