[Building Sakai] BasicLTI Feature for Setting Grades from an External Tool (BLTI-68)

Nate Angell nangell at rsmart.com
Sat Jul 24 12:15:13 PDT 2010 

Good experiment!

Will the web services strategy mean that the BLTI tool could set grades in
Gradebook2 rather than Gradebook should the Sakai site be using GB2?

Maybe that question might be best answered by the GB2 team...

On Sat, Jul 24, 2010 at 10:23 AM, csev <csev at umich.edu> wrote:

> Hello all,
>
> I am starting work on a new feature for Basic LTI in Sakai - the ability to
> set a grade from an external tool using a web service.  The specs for this
> work are here:
>
> http://jira.sakaiproject.org/browse/BLTI-68
>
> I would love some review of the approach - in particular, I would love some
> examination of the security approach.  Since we are taking grades from a web
> service, it should be safe enough that we trust it.   Here is the outline of
> the approach:
>
> Instructor places the Basic LTI portlet and configures with the url,
> secret, and key.
> Instructor uses the config UI to (a) indicate that the tool will be sending
> grades, (b) creating the column if necessary, (c) picking the gradebook
> column to store results.  This sets the *outcome_gradebook* properties in
> the tool placement.
> Student launches the tool in the consumer  The launch includes the *
> lis_result_sourcedid* which is an encrypted version of a random number,
> placement if, and user id using the Blowfish system-wide private key (same
> as TinkTool).
> The Tool Provider stores the *lis_result_sourcedid* in its tables
> somewhere, remembering the *oauth_consumer_key* as well.
> Student uses the tool and earns a grade, or perhaps the student uses the
> tool and the instructor goes into the tool and grades the student work
> Either as a side effect of the student complteing the work, or the
> instructor pressing a "send-grades" button, the tool provider creates a *
> simple-lis-replaceresult* message including the *lis_result_sourcedid* and
> signing it using OAuth using the *oauth_consumer_key* which the Tool
> Consumer used to sign the launch request.
> The message is sent to a servlet on the tool consumer, first, the servlet
> decrypts the *lis_result_sourcedid* using the system-wide Blowfish private
> key and if it decrypts successfully, it parses it to extract the placement
> id and user id from the *lis_result_sourcedid*.
> It then looks up the *oauth_consumer_key* and secret from the placement
> and checks the OAuth signature of the message.
> If the OAuth signature is valid, the servlet uses SecurityAdvisor to set
> the grade.
>
> There is much more detail in design documents in the JIRA mentioned above.
>
> Please review and comment.
>
> /Chuck
>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20100724/b4f939b5/attachment.html

More information about the sakai-dev mailing list