[Building Sakai] BasicLTI Feature for Setting Grades from an External Tool (BLTI-68)

Sat Jul 24 14:59:30 PDT 2010

Nate, 

The simple answer is of course, "yes".  The more important question is how convenient it is.  I would like it to be as convenient as possible (i.e. no patch required).  I think but am not sure that this is more about some of the broader Grade book service work we have slated for 2.8 that makes running GB and GB2 at the same time easier and paves the way for elegant support for an increasing number of different grade sources.

For me that GB service cleanup work is high priority for 2.8.

I am planning on meeting with the UMich folks working on grade book to help me navigate the GB/GB2 issue.

So the short summary is that I am sure this will work - the question is simply 'how much work'.

/Chuck

On Jul 24, 2010, at 3:15 PM, Nate Angell wrote:

> Good experiment!
> 
> Will the web services strategy mean that the BLTI tool could set grades in Gradebook2 rather than Gradebook should the Sakai site be using GB2?
> 
> Maybe that question might be best answered by the GB2 team...
> 
> On Sat, Jul 24, 2010 at 10:23 AM, csev <csev at umich.edu> wrote:
> Hello all,
> 
> I am starting work on a new feature for Basic LTI in Sakai - the ability to set a grade from an external tool using a web service.  The specs for this work are here:
> 
> http://jira.sakaiproject.org/browse/BLTI-68
> 
> I would love some review of the approach - in particular, I would love some examination of the security approach.  Since we are taking grades from a web service, it should be safe enough that we trust it.   Here is the outline of the approach:
> 
> Instructor places the Basic LTI portlet and configures with the url, secret, and key.  
> Instructor uses the config UI to (a) indicate that the tool will be sending grades, (b) creating the column if necessary, (c) picking the gradebook column to store results.  This sets the outcome_gradebook properties in the tool placement.
> Student launches the tool in the consumer  The launch includes the lis_result_sourcedid which is an encrypted version of a random number, placement if, and user id using the Blowfish system-wide private key (same as TinkTool). 
> The Tool Provider stores the lis_result_sourcedid in its tables somewhere, remembering the oauth_consumer_key as well.
> Student uses the tool and earns a grade, or perhaps the student uses the tool and the instructor goes into the tool and grades the student work
> Either as a side effect of the student complteing the work, or the instructor pressing a "send-grades" button, the tool provider creates a simple-lis-replaceresult message including the lis_result_sourcedid and signing it using OAuth using the oauth_consumer_key which the Tool Consumer used to sign the launch request.
> The message is sent to a servlet on the tool consumer, first, the servlet decrypts the lis_result_sourcedid using the system-wide Blowfish private key and if it decrypts successfully, it parses it to extract the placement id and user id from the lis_result_sourcedid.
> It then looks up the oauth_consumer_key and secret from the placement and checks the OAuth signature of the message.
> If the OAuth signature is valid, the servlet uses SecurityAdvisor to set the grade.
> 
> There is much more detail in design documents in the JIRA mentioned above.
> 
> Please review and comment.
> 
> /Chuck
> 
> 
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> 
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20100724/c2fbfce6/attachment.html 