feat: add LTI and OAuth2 integrations for authentication#74
Conversation
| auth_user, created = MyUser.objects.get_or_create( | ||
| # Make the username unique to the launch ISS, so different | ||
| # institution's Canvas instance creates unique usernames | ||
| username=f"{canvas_user_id}+{launch_iss}" |
There was a problem hiding this comment.
canvas_user_id (and canvas_course_id used below) come from the LTI custom claims, which require manually adding a custom_fields block to the dev key. If it's missing, both values come back None, and every launch from that instance silently collides into a single None+<iss> user and a single None-keyed course instead of failing. Would be worth validating these claims are present and rejecting the launch if they're not
|
|
||
| # do not require deployments in config | ||
| class ExtendedDjangoMessageLaunch(DjangoMessageLaunch): | ||
| def validate_deployment(self): |
There was a problem hiding this comment.
validate_deployment is overridden to skip LTI's deployment id check. That check is an extra access-control layer on top of the issuer/signature validation to ensure only courses we've approved can use the tool. Since courses currently only get added manually after requesting access, this isn't urgent but it's worth considering.
No description provided.