Skip to content

feat: add LTI and OAuth2 integrations for authentication#74

Open
Opeyem1a wants to merge 9 commits into
masterfrom
03-09-feat_add_lti_and_oauth2_integrations_for_authentication
Open

feat: add LTI and OAuth2 integrations for authentication#74
Opeyem1a wants to merge 9 commits into
masterfrom
03-09-feat_add_lti_and_oauth2_integrations_for_authentication

Conversation

@Opeyem1a

Copy link
Copy Markdown
Member

No description provided.

@catinhere catinhere self-requested a review July 7, 2026 20:11
Comment thread src/lti/views.py
auth_user, created = MyUser.objects.get_or_create(
# Make the username unique to the launch ISS, so different
# institution's Canvas instance creates unique usernames
username=f"{canvas_user_id}+{launch_iss}"

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

canvas_user_id (and canvas_course_id used below) come from the LTI custom claims, which require manually adding a custom_fields block to the dev key. If it's missing, both values come back None, and every launch from that instance silently collides into a single None+<iss> user and a single None-keyed course instead of failing. Would be worth validating these claims are present and rejecting the launch if they're not

Comment thread src/lti/views.py

# do not require deployments in config
class ExtendedDjangoMessageLaunch(DjangoMessageLaunch):
def validate_deployment(self):

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

validate_deployment is overridden to skip LTI's deployment id check. That check is an extra access-control layer on top of the issuer/signature validation to ensure only courses we've approved can use the tool. Since courses currently only get added manually after requesting access, this isn't urgent but it's worth considering.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants