In my previous post I wrote about the OWIN middleware for LTI I wrote to handle LTI launch authentication. This time I want to talk about using OWIN middleware to authenticate the other LTI stuff: outcomes and the new content-item messages.
The Content Item 1.0 spec piggy backs on top of the LTI launch spec, so authentication works almost exactly the same. The only difference is that I needed to add the OWIN middleware for LTI to the Tool Consumer (e.g. http://consumer.azurewebsites.net). That is because the Tool Provider sends the content placement post to the Tool Consumer (almost as if the Tool Provider were launching something on the Tool Consumer).
However, the application event handlers are much simpler. All I needed to do is ensure the request is valid.
Basic Outcomes are a different story. Because Basic Outcomes are server-to-server messages, it is very easy to implement an ApiController on the receiving end (the Tool Consumer). There is only one external endpoint called Post.
Thanks to Mike Wasson I figured out how to configure the Web API to use OWIN middleware for LTI to authenticate the request in WebApiConfig.cs.
Consumer and Provider have been updated to run with the new code. I had to replace the Provider database and I apologize to everyone that had it configured to work with your Tool Consumer. You will have to re-register your tool consumer.