Sharebar?

Deprecation Notice for OAuth 1.0a

SECURITY BULLETIN

Deprecation Notice for OAuth 1.0a

JUNE 2020

 

IMS Global Learning Consortium is announcing the deprecation of OAuth 1.0a API authentication. See the information below about new certifications, recertifications, and final deprecation of OAuth 1.0a and action plans for future implementations of Learning Tools Interoperability® (LTI®) and OneRoster®.

For all currently supported authentication methods, refer to the IMS Security Framework.

Products using deprecated methods will no longer be certified according to the transition roadmap provided below:

New Certifications

New product certifications after December 31, 2020, must support OAuth 2.0 or the later currently supported methods by adopting the newer version of the API service. REST service specifications affected by this are:

Learning Tools Interoperability

  • LTI 1.1 Tool Provider
  • LTI 1.1 Tool Consumer

ACTION PLAN FOR LTI IMPLEMENTATIONS: Migrate to LTI 1.3 and LTI Advantage which uses OAuth2 and OpenID Connect. See information on how to migrate your LTI integration to LTI 1.3.

OneRoster

  • OneRoster 1.1 REST Service Provider
  • OneRoster 1.1 REST Service Consumer

ACTION PLAN FOR ONEROSTER IMPLEMENTATIONS: Migrate to OneRoster 1.1 or later using OAuth 2.0 authentication.

Note: OneRoster 1.0 is deprecated. No certifications are permitted.

Recertifications

Re-certifications after June 30, 2021, must support OAuth 2.0 or later supported methods. The specifications affected by this are:

Learning Tools Interoperability

  • LTI 1.1 Tool Provider
  • LTI 1.1 Tool Consumer

ACTION PLAN FOR LTI IMPLEMENTATIONS: Migrate to LTI 1.3 and LTI Advantage which uses OAuth2 and OpenID Connect. See information on how to migrate your LTI integration to LTI 1.3.

OneRoster

  • OneRoster 1.1 REST Service Provider
  • OneRoster 1.1 REST Service Consumer

ACTION PLAN FOR ONEROSTER IMPLEMENTATIONS: Migrate to OneRoster 1.1 or later using OAuth 2.0 authentication.

Final Deprecation

Effective July 1, 2021, OAuth 1.0a will no longer be certified. Please direct your questions and comments to the IMS Security Forum.