SECURITY BULLETIN
Deprecation Notice for OAuth 1.0a
JUNE 2020
1EdTech Consortium is announcing the deprecation of OAuth 1.0a API authentication. See the information below about new certifications, recertifications, and final deprecation of OAuth 1.0a and action plans for future implementations of Learning Tools Interoperability® (LTI®) and OneRoster®.
For all currently supported authentication methods, refer to the 1EdTech Security Framework.
Products using deprecated methods will no longer be certified according to the transition roadmap provided below:
New Certifications
New product certifications after December 31, 2020, must support OAuth 2.0 or the later currently supported methods by adopting the newer version of the API service. REST service specifications affected by this are:
Learning Tools Interoperability
- LTI 1.1 Tool Provider
- LTI 1.1 Tool Consumer
ACTION PLAN FOR LTI IMPLEMENTATIONS: Migrate to LTI 1.3 and LTI Advantage which uses OAuth2 and OpenID Connect. See information on how to migrate your LTI integration to LTI 1.3.
OneRoster
- OneRoster 1.1 REST Service Provider
- OneRoster 1.1 REST Service Consumer
ACTION PLAN FOR ONEROSTER IMPLEMENTATIONS: Migrate to OneRoster 1.1 or later using OAuth 2.0 authentication.
Note: OneRoster 1.0 is deprecated. No certifications are permitted.
Recertifications
Re-certifications after June 30, 2021, must support OAuth 2.0 or later supported methods. The specifications affected by this are:
Learning Tools Interoperability
- LTI 1.1 Tool Provider
- LTI 1.1 Tool Consumer
ACTION PLAN FOR LTI IMPLEMENTATIONS: Migrate to LTI 1.3 and LTI Advantage which uses OAuth2 and OpenID Connect. See information on how to migrate your LTI integration to LTI 1.3.
OneRoster
- OneRoster 1.1 REST Service Provider
- OneRoster 1.1 REST Service Consumer
ACTION PLAN FOR ONEROSTER IMPLEMENTATIONS: Migrate to OneRoster 1.1 or later using OAuth 2.0 authentication.
Final Deprecation
Effective July 1, 2021, OAuth 1.0a will no longer be certified.