LTI Launch Authentication with Node.js

Just wanted to mention that I ended up doing a working example of this awhile back.

https://github.com/ripples/Present/blob/master/server/app.js#L35

passport.use('lti-strategy', new CustomStrategy(    function(req, callback) {        var val = (req.body) ? req.body : req.user              try{            var provider = new lti.Provider(val , process.env.LTI_SECRET)               if(req.user){                callback(null, val)                     }            else{                provider.valid_request(req, function(err, isValid) {                    if(err){                        console.log("LTI Error", err, isValid)                    }                    callback(err, val)                });            }               }        catch(err){            console.log("Authenication error", err)            callback(err, null)        }    }))

I ended up doing a custom passport strategy and using another library to do the authentication.

https://github.com/omsmith/ims-lti

It's that new lti.Provider bit, the key is that it takes in the LTI post req object to do auth.

When an LTI Tool Consumer (i.e. an LMS) launches an LTI Application (Tool Provider) The LTI Tool is sent an HTTP Post.

In order to authenticate that the post is legitimate, you need to verify that the post variable 'oauth_signature' is valid by recomputing the signature locally using the shared secret key that you exchanged with the Tool Consumer when the LTI tool was configured.

The act of verifying the OAuth signature is likely handled by an OAuth library .. nodejs already has these, so please don't reimplement one.

You can read the full process of validating the launch request in the IMS Global documentation