Is it possible to run without authorization-uri and token-uri

Question

Is it possible to run without authorization-uri and token-uri

Closed this issue 3 years ago · 2 comments

Hi Developers,

I'm currently using this package to develop tools and I just want to know if possible to run without authorization-uri and token-uri.

Because in IMS Global, it's OK that we make a dummy tool that don't have either authorization-uri or token-uri.

Answer 1 · 2021-07-04T07:49:33.000Z

@CharlesYWL
Are you wanting to run without using the OpenID Connect Flow?
Are you using the IMS LTI Reference Implementation (lti-ri.imsglobal.org) that allows you to post the JWT directly to the tool with the button "Launch Resource Link"?

This library was designed around supporting the OpenID Connect flow as outlined in the IMS Security Framework 1.0: https://www.imsglobal.org/spec/security/v1p0/#platform-originating-messages

If you are not wanting to use that flow then it's really just a case of verifying the JWT that is sent in the id_token parameter on the POST.

Answer 2 · 2021-07-22T14:24:08.000Z

If you think it's worth the library supporting LTI launches without the OpenID Connect flow just re-open the issue and outline why.