[sakai2-tcc] Fwd: BasicLTI Feature for Setting Grades from an External Tool (BLTI-68)

[csev]

FYI.

/Chuck

Begin forwarded message:

> From: csev <csev at umich.edu>
> Date: July 24, 2010 1:23:20 PM EDT
> To: Sakai Developers <sakai-dev at collab.sakaiproject.org>
> Subject: [Building Sakai] BasicLTI Feature for Setting Grades from an External Tool (BLTI-68)
> 
> Hello all,
> 
> I am starting work on a new feature for Basic LTI in Sakai - the ability to set a grade from an external tool using a web service.  The specs for this work are here:
> 
> http://jira.sakaiproject.org/browse/BLTI-68
> 
> I would love some review of the approach - in particular, I would love some examination of the security approach.  Since we are taking grades from a web service, it should be safe enough that we trust it.   Here is the outline of the approach:
> 
> Instructor places the Basic LTI portlet and configures with the url, secret, and key.  
> Instructor uses the config UI to (a) indicate that the tool will be sending grades, (b) creating the column if necessary, (c) picking the gradebook column to store results.  This sets the outcome_gradebook properties in the tool placement.
> Student launches the tool in the consumer  The launch includes the lis_result_sourcedid which is an encrypted version of a random number, placement if, and user id using the Blowfish system-wide private key (same as TinkTool). 
> The Tool Provider stores the lis_result_sourcedid in its tables somewhere, remembering the oauth_consumer_key as well.
> Student uses the tool and earns a grade, or perhaps the student uses the tool and the instructor goes into the tool and grades the student work
> Either as a side effect of the student complteing the work, or the instructor pressing a "send-grades" button, the tool provider creates a simple-lis-replaceresult message including the lis_result_sourcedid and signing it using OAuth using the oauth_consumer_key which the Tool Consumer used to sign the launch request.
> The message is sent to a servlet on the tool consumer, first, the servlet decrypts the lis_result_sourcedid using the system-wide Blowfish private key and if it decrypts successfully, it parses it to extract the placement id and user id from the lis_result_sourcedid.
> It then looks up the oauth_consumer_key and secret from the placement and checks the OAuth signature of the message.
> If the OAuth signature is valid, the servlet uses SecurityAdvisor to set the grade.
> 
> There is much more detail in design documents in the JIRA mentioned above.
> 
> Please review and comment.
> 
> /Chuck
> 
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> 
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai2-tcc/attachments/20100724/e4e93ca2/attachment.html