Authentication with Moodle or so (with the LTI 1.1 protocol based on OAuth 1.0) #625
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
All endpoints previously requiring a token now expect a session. BREAKING CHANGE: Endpoints and clients using token-based authentication must be updated to use session-based authentication.
All API calls and local_storage interactions in the app/ folder now use session for authentication instead of token.
Add a new API route that returns the token associated with a given session, enabling clients to retrieve their token server-side without storing it in the frontend.
…or CLI) Update supported_versions so: - legacy token routes are valid Upto v2.0 - new session routes are valid Since v2.0 Clients ≥ 2.0 negotiate the new API; CLI clients continue to work. Front-end now uses only the “_s” routes.
This change needed to refactor the decompress-based deflate encoding
Replace the JSON-based storage of session-token-date entries with an Irmin Git-backed key-value store.
Sessions are no longer stored in 'sessions.json' but in an Irmin Git repository ('session_store.git' by default).
Credits: this patch reuses code from oauth-moodle-dev by the following authors.
Co-authored-by: Louis Tariot <[email protected]>
as `ocaml/opam:alpine-3.20-*` images are now 6-month old: cf. https://hub.docker.com/r/ocaml/opam/tags?name=alpine-3.20 which caused some CI build issue due to a too-old version of opam: cf. https://github.com/ocaml-sf/learn-ocaml/actions/runs/15413403948/job/43370458368#step:3:122
Otherwise, we get:
```
The following dependencies couldn't be met:
- learn-ocaml -> mirage-runtime = 4.8.2
unmet availability conditions: opam-version >= "2.1.0"
```
Related: https://github.com/ocaml-sf/learn-ocaml/actions/runs/15421443343/job/43397321956?pr=610#step:3:163
Related: ocurrent/docker-base-images#132
Related: https://github.com/ocurrent/docker-base-images/blob/02a40d239bbb8dd2700d9bfaa7511926a84eca7b/Dockerfile#L3
Motivation: - Learnocaml_store contained Json_codec - learnocaml_client.ml relies on Json_codec - Learnocaml_store depends on Learnocaml_api - Learnocaml_store pulls irmin-git.unix and cryptokit - unlike Learnocaml_api - and these two dependencies are unneeded for compiling learnocaml_client.ml
Otherwise we'd get: ``` Error loading shared library libgmp.so.10: No such file or directory (needed by /usr/bin/learn-ocaml) ``` cf. https://github.com/ocaml-sf/learn-ocaml/actions/runs/15428646832/job/43421680304?pr=610
…ication support Introduce LtiIndex to map external LTI user IDs to tokens, and TokenIndex to manage token associations with multiple authentication methods (e.g. idmoodle, email). This enables future support for LTI and other authentication workflows. Credits: this patch reuses code from oauth-moodle-dev by the following authors. Co-authored-by: Alban Gruin <[email protected]> Co-authored-by: Erik Martin-Dorel <[email protected]>
…rsions Introduce endpoints for authentication workflows (launch, associate, login, register) in the API.
… template Add support for LTI user registration and token association in the login overlay, enabling direct and indirect LTI login workflows. Credits: this patch reuses code from oauth-moodle-dev by the following authors. Co-authored-by: Alban Gruin <[email protected]> Co-authored-by: Erik Martin-Dorel <[email protected]> Co-authored-by: Léo Segond <[email protected]>
…I handler refactor Introduce a modular authentication layer (learnocaml_auth) with initial LTI (Moodle) support. Add Launch and Login endpoints to the server for new auth methods. Refactor API request handling to pass structured http_request and support future extensibility. Credits: this patch reuses code from oauth-moodle-dev by the following authors. Co-authored-by: Alban Gruin <[email protected]> Co-authored-by: Léo Segond <[email protected]>
…tication linking - Add learnocaml_auth as a separate library with its dependencies in dune. - Implement secure association between legacy tokens and LTI accounts (Moodle) in the backend. - Improve logic and handle POST /associate route with checks and session management. - Prepare future extensibility for additional authentication methods (email, etc). Credits: this patch reuses code from oauth-moodle-dev by the following authors. Co-authored-by: Alban Gruin <[email protected]> Co-authored-by: Erik Martin-Dorel <[email protected]>
…reation - Implement with HMAC validation and nickname handling. - Handle POST /register route to support LTI account creation and session association. - Prepare backend for modular registration flows (future email/other methods). Credits: this patch reuses code from oauth-moodle-dev by the following authors. Co-authored-by: Alban Gruin <[email protected]> Co-authored-by: Erik Martin-Dorel <[email protected]>
…login - Add executable for LTI flows in dune build. - Add utility for form encoding in . - Refactor token login to use encoded POST body for extensible auth. Credits: this patch reuses code from oauth-moodle-dev by the following authors. Co-authored-by: Alban Gruin <[email protected]> Co-authored-by: Erik Martin-Dorel <[email protected]> Co-authored-by: Léo Segond <[email protected]>
- Add use_lti boolean flag - Update encoding/decoding to support the new field - Default to false if not present Credits: this patch reuses code from oauth-moodle-dev by the following authors. Co-authored-by: Alban Gruin <[email protected]>
- The OAuth signature is now really checked again. - The launch URL now uses req.Api.host when deployed, or localhost in local/dev.
…oauth - Add a test library for learnocaml_auth with ppx_expect and ppx_inline_test. - Allow passing the secret directly to check_oauth for easier testing. - Expose LtiIndex.repo_path for test configuration.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Warning
This PR shares commits with the previous PR #610, so after review both PRs should me merged successively (no squash).
Description
This PR adds support for (Moodle) LTI-based authentication. It relies on prior work in the
oauth-moodle-devbranch, with many recent changes and improvements by @MNassimM and @CJs0800, collaborating with @YannickChevalier and me. It adds one main OCaml dependency (irmin-git) to store critical data in a subfolder of/sync. Thanks to a more modular architecture devised by @MNassimM, the email/password authentication will be easier to add - but this addition is left as the topic for a follow-up PR.Checklist
General items:
Leftover items before the PR can be considered as finalized and ready to be merged:
roles,lis_person_name_{given,family,full},lis_person_contact_email_primary)use_lti(with screenshots) indocs/**.mdNote to maintainers
Close #…if a related issue exists.