LTI 1.3 - Logging users from the Platform into the Tool

LTI 1.3 - Logging users from the Platform into the Tool


I have started diving into the LTI 1.3 specification to implement it in our solution as a Tool. But the specification lacks information on how to handle the users in the Tool. When a user from the Platform launches the Tool, after authenticating with OAuth 2.0 / OIDC on the Platform, the Tool receives the JWT identifying the user. Now the Tool needs to log the user in so that the resource can be presented. At that point:

- Does the Tool have to read the user's information in the JWT and directly log them in without asking for credentials (because it trusts the Platform which provides a JWT which cannot be forged)?
- Or does the Tool have to ask credentials to the user, and log them in?

Thanks for your help.

Hi again, please does someone

Hi again, please does someone have insights on this?

Re: LTI 1.3 - Logging users from the Platform into the Tool

My view is that this is entirely a choice to be made by the tool, but typically LTI allows a tool to delegate the authorisation to the platform and so a tool would create/update a user account on-the-fly based on the user information (name, email, etc.) provided in the launch message.

Thanks for your help. Since

Thanks for your help. Since our Tool already have its own users (with paying accounts so we cannot create them on the fly) I suppose that upon receiving the JWT identifying the Platform's user we have two possible cases:

  1. If the Platform's user is known by the Tool, just log them in seamlessly
  2. If the Platform's user is not known by the Tool, ask for credentials for logging them in and associate this Tool's user with the Platform's user. Next time the user will be known (1)

Instead of (2) I thought we could just read the user email and associate the Tool's user matching that email seamlessly, but the LTI 1.3 specification seems to go against it:

"Typical properties such as a first name, last name, and email address, MAY be shared with a tool. A tool or platform MUST NOT use any other attribute other than the unique identifier to identify a user when interacting between tool and platform."

Am I correct?

Re: Thanks for your help. Since

Unless your users need to login directly to your tool as well as via LTI, then you should be able to create the latter on-the-fly. If they do need to access via both methods and the former has to be created first, then, as you note, you will need a mechanism for connecting their LTI user ID with their tool ID. Relying on properties such as name and email address is problematic because some platforms may allow users to manage these values themselves, which would allow them to impersonate someone else. One solution would be to ask them for their tool credentials on their first LTI launch and then record this mapping for use in subsequent launches.

All right, this answers my

All right, this answers my question, thanks.