This is a small LTI 1.3 tool that can be installed.
To run the Spring Boot application, we need to have a bean of type:
org.springframework.security.oauth2.client.registration.ClientRegistrationRepositoryHence, we need to create a config folder in the root directory and inside that we need to add an
application.properties file.
To setup TLS in a development environment it's recommended that you install mkcert which will install a trusted root certificate and then allow a certificate to be generated for localhost. Once installed run this in the root of the project:
mkcert -pkcs12 -p12-file config/keystore.p12 localhost
Then start the application with the ssl profile enabled and the LTI tool should be accessible on https://localhost:8443/
For LTI 1.3 a public/private keypair is needed. To generate one for development use:
keytool -genkeypair \
-alias jwt \
-keyalg RSA \
-keystore config/jwk.jks \
-storepass store-pass \
-dname CN=development
Go to you account and add a LTI Developer Key, fill in the following:
- Key name: Name of your tool's key (eg LTI 1.3 Tool Key)
- Owner email: your email.
- Redirect URIs: https://server/lti/login
- Method: Paste JSON
- LTI 1.3 Configuration: Go to https://server/config.json and copy and paste the content into this field.
Open the file config/application.properties and add these properties:
spring.security.oauth2.client.registration.canvas.client-id=1234
spring.security.oauth2.client.registration.canvas.client-secret=secret
spring.security.oauth2.client.registration.canvas.authorization-grant-type=implicit
spring.security.oauth2.client.registration.canvas.scope=openid
spring.security.oauth2.client.registration.canvas.redirect-uri={baseUrl}/lti/login
spring.security.oauth2.client.provider.canvas.authorization-uri=https://canvas.instructure.com/api/lti/authorize_redirect
spring.security.oauth2.client.provider.canvas.token-uri=https://canvas.instructure.com/login/oauth2/token
spring.security.oauth2.client.provider.canvas.jwk-set-uri=https://canvas.instructure.com/api/lti/security/jwks
spring.security.oauth2.client.provider.canvas.user-name-attribute=sub
- replace the client-id value (1234) with the ID of the LTI Developer Key you have created.
- replace the client-secret value (secret) with the LTI Developer Key secret.
- you can update the URIs to point to the canvas instance you are using, but it works fine using the canvas.instructure.com
There is a reference implementation for testing LTI integrations available at https://lti-ri.imsglobal.org which allows you to create a Platform to perform test launches with. These instructions assume you are running the tool on https://localhost:8443/
- Open Generate Keys in a new tab and keep this tab open.
- Open Manage Platforms in a new tab
- Click Add Platform.
- Add a unique name for your Platform.
- Provide a OAuth2 client id. (ex: 12345)
- Add a audience (ex: https://lti-ri.imsglobal.org)
- Set Tool Deep Link Service Endpoint to https://localhost:8443/
- Copy Public key from Generate Keys tab and paste into Platform Public Key field
- Copy Private key from Generate Keys tab and paste into Platform Private Key field
- Run
keytool -list -rfc -keystore config/jwk.jks -alias jwt -storepass store-passat the root of the project and copy the certificate into to Tool Public Key field. - Click Save
- Find your Platform in the list of Platforms
- View your Platform
- Click Platform Keys
- Click Add Platform Key.
- Create a name for your Platform Key (ex: Key 1)
- Add Deployment ID (ex: 1, you may set up multiple later)
- Click Save
-
Add a oauth registration/provider for the LTI RI platform to
config/application.properties:spring.security.oauth2.client.registration.ims-ri.client-id=oauth-12345 spring.security.oauth2.client.registration.ims-ri.client-secret=unused spring.security.oauth2.client.registration.ims-ri.authorization-grant-type=implicit spring.security.oauth2.client.registration.ims-ri.scope=openid spring.security.oauth2.client.registration.ims-ri.redirect-uri={baseUrl}/lti/login spring.security.oauth2.client.provider.ims-ri.authorization-uri=https://lti-ri.imsglobal.org/platforms/343/authorizations/new spring.security.oauth2.client.provider.ims-ri.token-uri=https://lti-ri.imsglobal.org/platforms/343/access_tokens spring.security.oauth2.client.provider.ims-ri.jwk-set-uri=https://lti-ri.imsglobal.org/platforms/343/platform_keys/333.json spring.security.oauth2.client.provider.ims-ri.user-name-attribute=sub -
Update OAuth2 client id (
spring.security.oauth2.client.registration.ims-ri.client-id), same value as Platform above (ex: 12345) -
In Platform tab, navigate to your platform
-
Click View Platform
-
Click Platform Keys
-
Copy well-known/jwks URL endpoint
-
Update JWT URI (
spring.security.oauth2.client.provider.ims-ri.jwk-set-uri) with the copied value. -
In Platform tab, navigate to your platform
-
Copy the OAuth2 Access Token URL value
-
Update Token URI (
spring.security.oauth2.client.provider.ims-ri.token-uri) with the copied value. -
Copy the OIDC Auth URL from Platform Page
-
Update Authorization URI (
spring.security.oauth2.client.provider.ims-ri.authorization-uri) with the copied value.
Step 5: In Platform tab, view your Platform
-
Click Courses
-
Click Add Course
-
Populate course values in form
-
Click save
-
Navigate back and view your Platform
-
Click Resource Links
-
Populate resource link values in form
-
For Tool link url, use https://localhost:8443/
-
For Login initiation url, use https://localhost:8443/lti/login_initiation/ims-ri
-
Click Save
-
Navigate and view your Platform
-
Click Resource Links
-
Click Select User for Launch
-
Click on Launch Resource Link (OIDC) for a user
-
Click on Post request
-
Click on Launch Resource Link
-
Click on Perform Launch
-
If configuration is setup correctly, you should see Successful Launch at top of page