Anonymous messages

Anonymous messages

A very happy New Year to all readers.

The LTI 1.3 Core Specification allows the sub claim to be omitted from a resource link launch request message (see, thereby overriding the required status of this claim as defined in the 1EdTech Security Framework (Version 1.0, 5.1.2). This leads me to ask the following questions:

  1. Why are anonymous deep linking messages not also allowed? [Section 3.4.5 of the Deep Linking Specification (Version 2.0) describes the sub claim as being required.]
  2. In the OpenID connect launch flow, the login_hint is required and should be a hint about the login identifier the End-User might use to log in (1EdTech Security Framework, Version 1.0, Does this mean the user ID must be passed in this parameter, even when the subsequent message is anonymous? If not, is there any guidance on what value should be passed, or whether the parameter should be omitted?


While I have yet to see a

While I have yet to see a truly user-less launch (no sub) I don't think it should be forbidden from the deep linking spec (even if it a bit counter to the fact that whole LTI flow is an open id extenstion, an open id, id-less!). I've issued a small PR removing the required term.

Now do you need a login_hint? Well you may still need to pass the role information, even in case of anymous launches. And the hint may be used to store smthg more about the context of that launch. So really up to the platform, it's only required to be passed back in present in the init login request. Not sure why the sec framework would mark this required at all from the platform side. Doesn't seem right indeed.


Re: login_hint

Thanks Claude. There are many items of data which could be usefully included in the initiate login request and be used by the tool to influence its authentication request (such as role and message type) but, when used with LTI, I am not aware of any tools which do anything with the login identifier value other than merely pass it back in the authentication request. Its existence is more akin to the state parameter of the authentication request. Pending an official confirmation of the correct behaviour to be applied, I have decided to send a value of "Anonymous" for the login_hint parameter when the LTI message to be sent is anonymous. I am hoping that this should be sufficient for platforms wanting to pass IMS certification.