tincan LRS/LMS 启动和 OAuth 的最佳实践 [英] Best practice with tincan LRS/LMS launching and OAuth
问题描述
我正在努力构建基于锡罐的 LMS.我们根据本指南从 LMS 启动活动,并使用适当的查询参数使活动与 LRS xapi 端点通信.
I'm working on building a tin-can based LMS. We launch activites from the LMS according to this guide, with the appropriate query parameters for the activity to communicate back to the LRS xapi endpoint.
https://github.com/RusticiSoftware/launch/blob/master/lms_lrs.md
我们正在努力解决的问题是对传入语句的验证.目前我们正在作弊,只是使用会话 cookie,因为活动与 LMS 位于同一域中,但我们想转移到外部活动.
The thing we're struggling with is authentication of incoming statements. For now we're cheating and just using session cookies as the activities are on the same domain as the LMS, however we want to move to external activities.
我知道 tin-can 为此目的更喜欢 OAuth 2.0,但是我不确定最好的令牌交换流程应该是什么.我最好的猜测是
I understand that tin-can prefers OAuth 2.0 for this purpose, however I'm not sure what the best token exchange flow should be. My best guess would be
- 用户点击 lms 中的活动链接
- 活动 url 使用锡罐参数(actor、端点等)打开
- 活动将用户重定向回 lrs 以获取身份验证令牌
- lrs 使用身份验证令牌和原始锡罐参数重定向回活动
- 活动将身份验证令牌交换为访问令牌
- lrs 将访问令牌返回给活动
- 活动使使用访问令牌授权的 tin can 语句调用
然而,鉴于我们无论如何都来自 LMS/LRS,前几步似乎是多余的.是否可以/推荐:
However the first few steps seem redundant given that we're coming from the LMS/LRS anyway. Is it possible/recommended to either:
- 使用已存在的身份验证令牌启动活动网址跳转到第 5 步
- 使用已存在的访问令牌启动活动网址直接跳到第 7 步
这两种方法中的任何一种都会减少所需的步骤数量,但可能会带来安全风险.
Either of these would reduce the amount of steps needed, but could introduce security risks.
想法?
推荐答案
launch 文档没有指定使用 OAuth 时要传递的任何身份验证参数,仅在正在启动的 Activity Provider 已注册的情况下谈论 OAuthLMS(此时 LMS 将假定活动将通过 OAuth 进行身份验证,而不发送基本身份验证信息).
The launch document doesn't specify any authentication parameters to pass when using OAuth, and only talks about OAuth in the case that the activity provider being launched is registered with the LMS (at which point the LMS is to assume the activity will authenticate via OAuth and not send basic auth information).
https://github.com/RusticiSoftware/launch/blob/master/lms_lrs.md#oauth
因此,可以在启动时使用 OAuth,但启动不提供任何帮助.它只是为您提供要使用的端点,然后您必须查看 XAPI 规范本身以了解 OAUth 端点相对于主要 LRS 端点的位置.
So, it is possible to use OAuth with launch, but launch does not provide any help. It simply gives you the endpoint to use, and then you have to look at the XAPI spec itself to see where the OAUth endpoints are relative to the main LRS endpoint.
https://github.com/adlnet/xAPI-Spec/blob/1.0.1/xAPI.md#oauth-endpoints
您还需要选择并遵循工作流程:
You'll also need to choose and follow a workflow:
https://github.com/adlnet/xAPI-Spec/blob/1.0.1/xAPI.md#64-security
最后,如果从安全角度看跳到第 7 步对您来说是可以接受的,为什么不直接使用 LMS 在启动链接上传递给您的基本身份验证令牌?
Finally, if skipping to step 7 would be acceptable to you from a security perspective, why not just use the basic auth token the LMS passes you on the launch link?
这篇关于tincan LRS/LMS 启动和 OAuth 的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
