Just because you receive a message at the endpoint you use for receiving LTI® launch requests, does not mean that all messages received at that endpoint are actually LTI launch requests. So the first step is to check if the message received conforms with the requirements of an LTI launch request. The required characteristics of an LTI launch message are as follows:
- It should be an HTTP POST message
- It should include a POST parameter named lti_message_type with a value of basic-lti-launch-request
- It should include a POST parameter named lti_version with a value of LTI-1p0 ( or LTI-2p0 for an LTI 2 tool provider)
- It should include a POST parameter named oauth_consumer_key with a non-empty value
- It should include a POST parameter named resource_link_id with a non-empty value
As you can see there are very few required parameters for an LTI launch, but if any of these is missing it means that the message is not an LTI launch message, or has not been properly constructed, and should be rejected.
Sample PHP Code
This code assumes that a variable named $ok has been initialized with a value of true. After its execution the variable will have been set to false if the message is not an LTI launch request.
// Check it is a POST request
$ok = $ok && $_SERVER['REQUEST_METHOD'] === 'POST';
// Check the LTI message type
$ok = $ok && isset($_POST['lti_message_type']) && ($_POST['lti_message_type'] === 'basic-lti-launch-request');
// Check the LTI version
$ok = $ok && isset($_POST['lti_version']) && ($_POST['lti_version'] === 'LTI-1p0');
// Check a consumer key exists
$ok = $ok && !empty($_POST['oauth_consumer_key']);
// Check a resource link ID exists
$ok = $ok && !empty($_POST['resource_link_id']);