[Building Sakai] QWuick question about basic lti

Charles Severance csev at umich.edu
Mon Feb 18 06:53:32 PST 2013 

Just as a follow up, I decided that we should not even send this value on all BLTI launches - so I created a JIRA to make it so ext_sakai_session is only sent when requested.

https://jira.sakaiproject.org/browse/BLTI-211

See the JIRA for details.

/Chuck

On Feb 15, 2013, at 10:48 AM, Charles Severance wrote:

> In general, the reason for
> 
> ext_sakai_session
> 
> Was to give folks using link tool and SakaiSigning.jws a path forward to convert away from LinkTool based tools to Basic LTI.  LinkTool signed session's approach security is weaker than LTI faced with a man-in-the-middle attack (which is rare but worrisome).  So we as a community should move away from LinkTool and move away from signed sessions and SakaiSigning.jws.
> 
> So as folks have said, how you use it is only documented in the LinkTool documentation.
> 
> It was never intended as a general purpose capability that was part of LTI - just a transition crutch to let people move from LinkTool. 
> 
> I would not expect any future LTI directions in services to follow the LinkTool pattern at all - if we build new services they will behave more like this:
> 
> https://source.sakaiproject.org/svn/basiclti/trunk/basiclti-docs/resources/docs/sakai_basiclti_api.doc
> 
> LTI tends not to support a model of "act as user while a session is active" but prefers a model of "acts as site owner within an approved context (course) irrespecitve of the presence of a session".  A model of "acts as user for the duration of a limited life session" is generally pretty weak (and is the foundation of OAuth 2.0):
> 
> http://vimeo.com/52882780  (warning: this video contains expletives and is not family friendly)
> 
> Three-legged OAuth 1.0 (as practiced by the Oxford mobile portal) supports a model of "Acts as user until token is revoked" - and this work well too.  But LTI is moving increasingly towards the "acts as site owner in contexts where permission is granted".
> 
> Probably more than you wanted to know - but the ideas is that ext_sakai_session is *not* the future - it is from the past.
> 
> /Chuck
> 
> On Feb 14, 2013, at 5:17 PM, Matthew Jones wrote:
> 
>> More specifically, it uses a hex encoded blowfish cipher encrypted on the secretKey which is auto generated when the server comes up in the sakai.home/sakai.rutgers.linktool.privkey file.
>> 
>> However the questions was asked and never answered about why this was still used. I think the question about sending a (separate) session id encrypted with the key that is exchanged makes sense to me.
>> http://old.nabble.com/-Building-Sakai--basic-lti-and-sakai-session-id-tt32511936.html#a32511936
>> 
>> For linktool, you had to use the SakaiSigning.jws webservice to get the real session id. Which really isn't always convenient, unless you control the end point.
>> https://source.sakaiproject.org/svn/linktool/trunk/linktool.txt
>> https://confluence.sakaiproject.org/display/CONF06/Linking+External+Tools+with+Sakai
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130218/5ccc98b2/attachment.html

More information about the sakai-dev mailing list