Learning Management System Integration (LTI 1.3 Authentication)

Summary: Allow Discourse to integrate with a number of learning management systems via the LTI 1.3 standard.

:link: GitHub: github.com/discourse/discourse-lti
:arrow_right: Install: Follow the plugin installation guide.

This plugin implements the LTI 1.3 standard for authentication, which is supported by a number of learning management systems. Discourse acts as a “Tool” within the LTI standard. Once configured, users will be able to click a button/link on the learning management system, and instantly be logged into Discourse.

Precise setup instructions will vary based on your Learning Management System. But in general:

  1. Create a new “Tool” entry in your learning management system
  • LTI Version: 1.3
  • Launch URL: any URL on your site. Users will be directed here after login
  • Auth Request URL: https://<your-discourse-site>/auth/lti/initiate
  • Redirect URL: https://<your-discourse-site>/auth/lti/callback
  • Tool Public Key - leave blank. Discourse never sends data to the LMS
  1. In your LMS, find the 'Authorization endpoint", “Tool Client ID”, “Platform Issuer ID”, and the “Platform Public Key”, and add them to the relevant site settings in Discourse. In Discourse, the settings can be found by searching for lti in the Discourse site settings UI.

  2. If your learning management system guarantees User emails have been validated, enable the lti email verified site setting. :warning: Warning: If your LMS does not verify emails, enabling lti email verified is a security risk.

  3. Turn on the lti enabled site setting

If these instructions don’t make sense for your LMS, please post in the topic below and we’ll do our best to update the instructions accordingly.

What if my site is invite_required?

If you want your users to go through the Discourse invite redemption flow when they first log in, you can use LTI “Custom Properties” to specify a Discourse invite link. New users will be directed to the invite, while existing users will be sent to the regular launch URL. For example:

Property Name Property Value
discourse_invite_link https://discourse.example.com/invites/abcdefg
11 Likes

@david David, would you please share a configuration instance with me? I tried many times for integrating Discourse with Moodle 3.10, but still no luck. Always said:

OpenSSL::PKey::RSAError (Neither PUB key nor PRIV key: nested asn1 error)
lib/middleware/omniauth_bypass_middleware.rb:50:in `call'
lib/content_security_policy/middleware.rb:12:in `call'
lib/middleware/anonymous_cache.rb:355:in `call'
config/initializers/100-quiet_logger.rb:23:in `call'
config/initializers/100-silence_logger.rb:31:in `call'
lib/middleware/enforce_hostname.rb:23:in `call'
lib/middleware/request_tracker.rb:187:in `call'

What have you entered in the “platform public key” setting? If I remember correctly, Moodle provides a JWKS url by default, which this plugin doesn’t support.

It should be possible to find the raw certificate somewhere, which you can copy/paste into Discourse,

@david Thank you for replying me. Yes. In Moodle. it showed Public keyset URL: https://mysiet.com/mod/lti/certs.php.
I opened this URL in browser, it showed as below:

{
    "keys": [
        {
            "kty": "RSA",
            "alg": "RS256",
            "kid": "1371e22ce81f1dbb936a",
            "e": "AQAB",
            "n": "xXOfRS1UronVdVUEal0jyIhyNkAcbCRb6K2uzLsoQgRAaqA2ixbshCTWW_Yj-ZoJgg7UoruO65TB5EIldMyPJbYjYoMF0rB5a-wcvEhtWxfLs8FsDNLM9czjYXZUXBJ6sxIGNp-9Wp4c6PaecvXDfc4bJoHU8Ee5WzUk2XuX8dXX4jx8ipwzRa8qaQT-0cIPnZw4LmkPiTgn-gA-LuqjG2w9awwjnWTuZbTNPTphgPO9FD4lD_dAY3biURU_lEyJXflqFYwbrpja-b8y23qixwiHEYsM3_2F5D-DrI3Nsty219-ALDmJ0wY1hnr4p2NfwYZr_d2YjpIiJW_8iW3SRQ",
            "use": "sig"
        }
    ]
}

I copied the value of “n” in the json (the longest one) into Discourse. But still the same error.

I don’t think copying the n value will be enough - discourse needs the key in the PEM format. Long-term we might be able to add support for JWKs, but in the short term you should be able to get it working by converting the key.

There are some online tools which can convert from JWKs format into PEM. Here’s one. (Obviously I can’t guarantee the safety of these online tools, so make sure you only paste public information into them)

Once you have the PEM (starting with -----BEGIN PUBLIC KEY-----, then Discourse should accept it.