Skip to content

Commit

Permalink
Make client_id's type a list or set
Browse files Browse the repository at this point in the history
  • Loading branch information
@martinclaus
martinclaus committed Jan 4, 2024
1 parent f362508 commit 1f517ab
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 16 deletions.
21 changes: 7 additions & 14 deletions docs/source/lti13/getting-started.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ Start by navigating to your [LMS vendor's integration section](lms-integration.m
During the tool registration process, you should obtain the following information which is necessary to complete the setup of the LTI Authenticator plugin:

- `issuer`: URL of the LMS platform used for identification
- `client_id`: opaque ID of the tool registration at the platform
- `client_id`: opaque ID of the tool registration at the platform.
You may obtain multiple client IDs, e.g. if you do multiple [single-tenant registrations](https://www.imsglobal.org/spec/lti/v1p3#single-tenant-tool-registered-and-deployed-once) within your LMS with the same JupyterHub instance.

```{note}
If your LMS is not listed feel free to send us a PR with instructions for this new LMS.
Expand All @@ -21,14 +22,13 @@ See the [configuration reference](reference) for a complete list of available co
The required settings to get authentication via LTI 1.3 to work are:

- `issuer`: the URL of your LMS platform. If your LMS is served from `https://canvas.instructure.com`, the issuer is `https://canvas.instructure.com`.
- `client_id`: opaque ID, typically generated by the LMS when a tool is registered there.
You can specify either a single client ID or a set of client IDs, e.g. if you do multiple [single-tenant registrations](https://www.imsglobal.org/spec/lti/v1p3#single-tenant-tool-registered-and-deployed-once) within your LMS with the same JupyterHub instance.
- `client_id`: set or list of opaque IDs, typically generated by the LMS when a tool is registered there.
- `authorize_url`: Authorization endpoint of the LMS platform. The URL to which authorization requests are sent by the authenticator as part of the [OIDC implicit flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post).
E.g. `https://canvas.instructure.com/api/lti/authorize_redirect`.
- `jwks_endpoint`: An endpoint of the LMS from which JupyterHub can obtain the [JWKS](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets) to verify and decode any received [JWT](https://auth0.com/docs/secure/tokens/json-web-tokens).
E.g. `https://canvas.instructure.com/api/lti/security/jwks`.

A valid minimal configuration in the `jupyterhub_config,py` may look like this
A valid minimal configuration in the `jupyterhub_config.py` may look like this

```python
c.JupyterHub.authenticator_class = "ltiauthenticator.lti13.auth.LTI13Authenticator"
Expand All @@ -43,7 +43,7 @@ c.LTI13Authenticator.authorize_url = "https://canvas.instructure.com/api/lti/aut
c.LTI13Authenticator.jwks_endpoint = "https://canvas.instructure.com/api/lti/security/jwks"

# The external tool's client id as represented within the platform (LMS)
c.LTI13Authenticator.client_id = "125900000000000329"
c.LTI13Authenticator.client_id = ["125900000000000329"]
```

## Username Key Setting
Expand Down Expand Up @@ -104,19 +104,12 @@ hub:
authorize_url: "https://canvas.instructure.com/api/lti/authorize_redirect"
# The external tool's client id as represented within the platform (LMS)
# Typically created by the platform when registering the tool.
client_id: "125900000000000329"
client_id:
- "125900000000000329"
# The platform's JWKS endpoint url providing public key sets used to verify the ID token
jwks_endpoint: "https://canvas.instructure.com/api/lti/security/jwks"
```
If you like to set multiple client IDs, you need to use yamls list notation:
```yaml
client_id:
- "125900000000000329"
- "125900000000000330"
```
## Deal with Synchronization Issues (iat, nbf, exp)
The underlying OIDC Implicit flow protocol requires some checks involving token issuing time.
Expand Down
2 changes: 1 addition & 1 deletion docs/source/lti13/reference.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ hub:
| tool_description | No | Description of the tool within the config JSON | `"Launch interactive Jupyter Notebooks with JupyterHub"` |
| username_key | No | The LTI 1.3 launch parameter that contains the JupyterHub username value | `"email"` |
| issuer | Yes | The platform's issuer identifier. A case-sensitive URL provided by the platform | |
| client_id | Yes | The client ID or a list of client IDs identifying the JuyterHub within the LMS platform. Must contain the client IDs created when registering the tool on the LMS platform. Possible values are of type `str` or `set[str]`. | |
| client_id | Yes | List or set of client IDs identifying the JuyterHub within the LMS platform. Must contain the client IDs created when registering the tool on the LMS platform. Possible values are of type `list[str]` or `set[str]`. | |
| authorize_url | Yes | Authorization end-point of the platform's identity provider. Provided by the platform. | |
| jwks_endpoint | Yes | Platform's jwks endpoint. Provided by the platform | |
| jwks_algorithms | No | List of supported signature methods | `["RS256"]` |
Expand Down
6 changes: 5 additions & 1 deletion examples/jupyterhub_config_lti13.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,11 @@
os.getenv("LTI13_AUTHORIZE_URL")
or "https://canvas.instructure.com/api/lti/authorize_redirect"
)
c.LTI13Authenticator.client_id = os.getenv("LTI13_OAUTH_CLIENT_ID") or {""}
# The client ids are comma separated
if client_id := os.getenv("LTI13_OAUTH_CLIENT_ID"):
c.LTI13Authenticator.client_id = client_id.split(",")
else:
c.LTI13Authenticator.client_id = {""}
c.LTI13Authenticator.jwks_endpoint = (
os.getenv("LTI13_JWKS_ENDPOINT")
or "https://canvas.instructure.com/api/lti/security/jwks"
Expand Down

0 comments on commit 1f517ab

Please sign in to comment.