You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

This is a DRAFT.  This is going to be the main document, which can then be turned into slides for a presentation

1 LMOD Introduction

TODO Joe

 

2 Authentication/Authorization

2.1 Unauthenticated Access

The LMOD APIs support unauthenticated access, although in most cases the information available is very limited. 

2.2 Authenticated Access

There are two ways we support authentication: via Touchstone (Shibboleth), or via application certificate.  Note that some APIs do not (yet) support application certificate; this will be noted below. 

2.2.1 Touchstone Authentication

If the consuming application is a web app and the end user is present when the request to the API is made, then Touchstone authentication is the preferred method.  The user will authenticate to the API (possibly via the application) as themselves, which guarantees that the requesting user is present.  The consuming application therefore does not need to be trusted to impersonate a user; it only needs to be trusted to handle user data while the user is there. 

There are two ways for an intervening app to allow a user to do Touchstone authentication:

2.2.1.1 Touchstone Delegation

One is via Touchstone delegation, in which the user presents credentials to the app, and the app forwards these credentials to the LMOD api.  We have not used this method ourselves but it should work (or can be made to work).  It may require that the Touchstone identity providers be configured to white-list the consuming application.

2.2.1.2 Cross-Origin Requests

The other way to authenticate a user to Touchstone in a web app is using cross-origin AJAX requests.  The web page served by the application tells the user's browser to contact the API directly via AJAX.  This requires that LMOD's servers white-list the consuming application for cross-origin requests.  The AJAX requests need to set the withCredentials flag to true.  Additionally, the application may need to get the user to authenticate to Touchstone and then redirect back to the application.  We support this by providing a login redirector.  Say the app is located at https://google.com.  Then the url https://mv-ezproxy-com.ezproxyberklee.flo.org/Shibboleth.sso/Login?target=%2Fcrossdomain%2Floginredirect%3Fhttps%253A%252F%252Fgoogle.com will authenticate the user to learning modules and redirect them back to google.com (note that "https://google.com" has been percent-encoded twice to make it the authentication and cross-domain redirects.  We have used this method inside our student dashboard code.

2.2.2 Application Certificate

If the consuming application is not a web app, or if the user is not present when the request to the API is made (e.g., the app needs to cache information about users ahead of time), then application certificate authentication is more appropriate.  In this case the application authenticates to the API as itself, and can only ask for information on behalf of a user if it is allowed to impersonate that user.  LMOD can white-list certain accounts to impersonate users.  Note that technically the impersonation and the application certificate authentication method can be done separately.  If you get a touchstone account (e.g., a collaboration account) for your application, you can use shibboleth authentication as above and still impersonate whomever you are allowed to.  Also, an application certificate might not have impersonation access, in which case it can still access LMOD APIs as itself, with whatever permissions it has. 

Again, some APIs do not yet support application certificates.

2.3 Roles and Authorization

The

TODO Joe

 

3 External Data Feeds

TODO Qing

 

4 LMOD APIs

4.1 Membership API

TODO Qing

 

4.1.1 Example
4.1.2 Intended Use Cases
4.1.3 Pitfalls

 

4.2 Course Guide API

TODO Qing

 

4.2.1 Example
4.2.2 Intended Use Cases
4.2.3 Pitfalls

 

4.3 Gradebook API

TODO Robin

 

4.3.1 Example
4.3.2 Intended Use Cases
4.3.3 Pitfalls

 

4.4 Calendar API

TODO Joe

 

4.4.1 Example
4.4.2 Intended Use Cases
4.4.3 Pitfalls

 

4.5 Materials API

TODO Ajay

4.5.1 Example
4.5.2 Intended Use Cases
4.5.3 Pitfalls

 

4.6 Forum/Announcement API

TODO Joe

 

4.6.1 Example
4.6.2 Intended Use Cases
4.6.3 Pitfalls

Does not support application certificates

 

  • No labels