LTI login
An external provider can log users in to Bracken using the Learning Tools Interoperablitiy (LTI) process. This system is commonly used in learning platforms such as Moodle.
User experience
- The user logs in to the partner platform.
- The user clicks a link, which directs the user to the Bracken site.
- Bracken requests authentication information from the platform.
- The user arrives in the Bracken Portal.
A Bracken user account is created when the user first logs in via LTI (“autoprovisioned”).
The integration can optionally be configured to receive result notifications using the Assignment and Grade Service.
LTI integration
Login link
The single sign on is triggered by the partner platform redirecting the user to the Bracken initiate login URL. This will typically be https://<client>.bracken.cloud/auth/lti.
The request will include the following parameters, either as query parameters on a GET request, or in the body of a form POST request.
| Parameter | Example value | Notes |
|---|---|---|
iss* | https://demo-host.com | Issuer, which must be configured in Bracken. |
target_link_uri* | https://<client>.bracken.cloud | URL where to arrive after login. |
lti_deployment_id | 42 | platform specific |
client_id | kyKGR3f5 | platform specific |
login_hint | 332 | platform specific, often local user id |
lti_message_hint | 0 | platform specific, often login request reason |
Authentication provider
The partner system provides an OpenID Connect authorization service.
Upon receiving a login initiation request, Bracken will redirect the user’s browser to the configured authorization endpoint. The request may be GET or POST, and includes the following parameters.
| Parameter | Value |
|---|---|
request_type* | id_token |
request_mode* | form_post |
scope* | openid |
redirect_uri* | Must be configured in host platform service. |
client_id | Platform client identifier, specified in Bracken auth provider. |
state | Value to be returned with authorization response. |
nonce | Value to prevent request replay. |
login_hint | Value specified in login request. |
lti_message_hint | Value specified in login request. |
Response
The host service redirects the browser to the analysis server with a form POST with the following values.
| Parameter | Value |
|---|---|
id_token | JWT with claims |
state | Tool state returned unchanged |
id_token claims
The id_token JWT includes at least the following claims.
| Claim | Description |
|---|---|
iss* | Host system issuer, typically the base URL of the host. |
aud* | Must be the platform client identifier specified in the Bracken auth provider. |
nonce* | If included in the request, must be returned to the tool. |
sub* | Host system identifier of user. |
given_name* | The user’s given (first) name. |
family_name* | The user’s family (last) name. |
email* | The user’s email address. |
https://purl.imsglobal.org/spec/lti/claim/deployment_id | If set, must match the deployment_id specified in the original request. |
https://purl.imsglobal.org/spec/lti/claim/target_link_uri | If set, must match the target_link_url specified in the original request. |
OAuth JWKS endpoint
The id_token JWT returned by the host service’s authorization endpoint must be signed with a key that is available at the host service JWKS endpoint.
Redirect URL
After the id_token has been validated, a user is autoprovisioned in Bracken if necessary, and the browser is redirected to the specified target URL.
LTI Launch
Bracken also supports LTI Launch. In this workflow, the platform prepares an id_token and POSTs it to the target endpoint directly.
- The platform prepares the claims described in id_token claims, above, including
sub, user claims, andtarget_link_uri. - The token is signed with the platform’s signing key.
- The browser is redirected to the Bracken endpoint with a form POST.
<form action="https://demo.bracken.cloud/e/lesson/123" method="POST"> <input type="hidden" name="id_token" value="eyJh..." /> </form> - On receiving the request, Bracken validates the token against the platform, auto-provisions the user and portfolio if necessary, and launches the page.