“Human sacrifice, dogs and cats living together… mass hysteria!”
– Dr. Peter Venkman
Can LTI and SLC live together peacefully or will there be mass hysteria?
“Advancing Learning Impact by Enabling the Open Foundation for Seamless, Agile and Information-Rich Educational Technology Integration”
“…working to make personalized learning a reality for every U.S. student by improving the usefulness, variety and affordability of education technology”
They both talk about edtech. I was curious to see if they are trying to solve the same problem. I also like to get my hands dirty, so I recently made my Sample LTI Consumer Website (consumer website) a registered application in the SLC Sandbox. I found out that they (or at least LTI and IMS) are complementary solutions. They are trying to solve the same problem—integrating edtech—but at different layers of the stack. IMS is creating dialects that edtech systems can use to talk to each other (e.g. LTI), while the SLC is creating shared nouns and verbs so that all the systems can talk about the same thing (e.g. SLI).
The rest of this post describes the steps I went through to connect my consumer website to the SLC. All the code is in CodePlex. And you are welcome to connect your SLC Sandbox to my consumer website to see how it works, but please don’t use data about real people.
Future posts will describe how the SLC and the consumer website work together to share data including assignments and scores.
1. Sign Up for an SLC Sandbox Account
This is very straightforward. Go to http://dev.slcedu.org/getting-started and create a new sandbox account. You will need some sample data to play with. I used the small dataset. At this point you can login to the Sandbox Portal and play with the pre-registered applications. Once you are convinced there is some data to work with, it’s time to add your application to the portal.
2. Add Support for OAuth
Portal applications must support OAuth authentication. Luckily, my consumer website is based on the ASP.NET MVC 4 Internet Application template,
This template has built in support for OpenID and OAuth, including pre-configured support for Google, Facebook, Twitter, and LinkedIn,
These are all IAuthenticationClient’s in the DotNetOpenAuth library. To make use of the built in OAuth2 support, I created an IAuthenticationClient for the SLC Sandbox. I based it off of OAuth2Client which implements all the basic OAuth2 handshaking. It is too long to include in this post, but you can find the source code in CodePlex (SlcSandboxClient.cs). Basically I had to implement three overrides: GetServiceLoginUrl, QueryAccessToken, and GetUserData. Then I registered the new client in AuthConfig.RegisterAuth (AuthConfig.cs) and bobs-your-uncle, there it is:
It worked as a proof of concept, but quickly broke down when I thought about multiple sandboxes connecting to the consumer website.
The OAuth support built into the MVC template is designed with two assumptions:
- The OAuth exchange will start in the application. In other words, you visit the application (e.g. http://consumer.azurewebsites.net/Account/Login) and click on one of the identity providers (e.g. Facebook) to start the authentication process.
The application (e.g. http://consumer.azurewebsites.net/) only has a single tenant so there is only one ClientID for each identity provider.
Both design assumptions are wrong with respect to the Sandbox Portal and my consumer website:
- When you use the SLC Sandbox Portal, you start the authentication process from within the identity provider (the SLC), not the application.
- The application (my consumer website) has multiple tenants (school districts) which want to completely isolate identity and data.
To solve these problem, I did two things:
- A tenant in the SLC must be registered in the consumer website (and the consumer website must be registered in the SLC).
- I require that the initial request from the Sandbox Portal includes the Client ID. If it is missing or unrecognized by the SlcSandboxClient, the authentication request is rejected.
When you launch my consumer website from your Sandbox Portal, the SlcSandboxClient will grab the Client ID from the request, lookup the tenant registration, and continue the authentication process.
That is why the SLC button in the screenshot above did not work. When you start the SLC authentication from the application, SlcSandboxClient does not know which Client ID to use. I suppose I could fix that too (for example, list all the registered tenants with a separate button), but for now, I simply hide the SLC button,
3. Register the Application
Now that the application (consumer website) supports OAuth, it was time to register the application in the Sandbox Portal. In the Url field, I entered the URL to the /Account/ExternalLogin2 action (ExternalLogin2 is identical to ExternalLogin, but it accepts a GET request) including the OAuth provider name (“slcsandbox”) and clientId. For example,
Note that I did not yet know the clientId, so just enter some bogus characters. In the Redirect Url field, I entered the URL to the /Account/ExternalLoginCallback action. For example,
After activating the registration (by clicking on the In Progress button), I changed the Url to use the real Client ID that was assigned. For example,
4. Register the Tenant
5. Launch the Application
I logged out of the Sandbox Portal (to get out of the admin section) and selected Test Applications in My Sandbox. Then I impersonate one of the educators, and clicked on the application from step 3 above (Sample LTI Consumer in the screenshot below).
The first time you launch the consumer website, you will be prompted to associate your account with a local account,
Once you are logged in, you can create courses or import your SLC sections (including student accounts), and create and launch assignments. More about that in the next post.