Implement Initial LTI 1.3 Launch

[20wildmanj]

Description

This PR implements the LTI Advantage launch flow described in LMS Integration Design Doc V2.0. It is recommended to view "Implementation and Technical Details" as well as "LTI Advantage Launch Flow" sections. The full LTI 1.3 launch specification for tools such as Autolab can be found here.

Most of the code in this PR is based off the LTI 1.3 PHP library and the pylti1.3 library, specifically LTI_OIDC_Login.php, and LTI_Message_Launch.php.

Specific changes:

• Build initial LTI 1.3 Integration Library in controllers/lti_launch_controller.rb
  • /lti_launch/oidc_login/ endpoint handles Step 1 and Step 2 of the launch flow (see design doc for more details),
    • Ensure that iss parameter from platform matches our configuration settings, lti_message_hint exists
    • create state, nonce params using SecureRandom, with state stored as a short lived cookie and nonce as a cache entry (to prevent replay attacks)
    • Generate authentication parameters based off rails configuration settings (in lti_settings.yml), and redirect to authorization url of platform.
  • /lti_launch/launch/ endpoint handles Step 4 of the launch flow (see design doc for more details),
    • mainly validation of data received from platform, and sends off received JWT body data to lti_launch_initialize
    • validate both state and nonce received match the ones generated during oidc_login
    • validate response from platform is a valid JWT with correct signature by platform
    • validate client_id received from platform to that in configuration settings
    • Ensure that request is a "LtiResourceLinkRequest" with version "1.3.0"
    • validate we have access to NRPS and that we receive "context_memberships_url"
• display final resource (course context, etc. in users/:id/lti_launch_initialize) via lti_launch_initialize in users_controller.rb

How Has This Been Tested?

• Go to /config and run:
  cp lti_settings.yml.template lti_settings.yml

• Fill in lti_settings.yml

  • iss: "https://lti-ri.imsglobal.org"
  • developer_key: "lti.app.client_id"
  • auth_url: "https://lti-ri.imsglobal.org/platforms/3644/authorizations/new"
  • Do not modify the public key, as the template already uses the testing platform's public key
  • (You can find these when viewing the testing platform overview, covered a couple steps down)

• enable cache by running rails dev:cache

• Go to the LTI Reference Tool main page

• Go to "Manage Platforms"

• Click on "Unclaimed Platforms"

• Find the "Autolab Test" platform (ctrl-f)

• Click on "View Platform". Make sure client id, OIDC Auth URL, platform public key matches the rails config file.

• Click on "Resource Links" for Autolab Test
• Click "Select User for Launch" for Resource Link with Title "Autolab PR test"

• Choose user with "Student: No", and click "Launch Resource Link (OIDC)". For example, you should launch as Davida in the example below.

• Choose either to send a POST or GET request (either works) on the next page
• You should immediately be redirected to a page similar to the one below. If you have to log into Autolab, or receive a message that you are already logged into autolab, try going back to the Resource Link page and clicking "Launch Resource Link (OIDC)" again. If you received an error from the oidc_login endpoint, make sure your lti_settings.yml information is correct, and try again.

• Click "launch resource link"
• Scroll down past the JWT and click "Perform Launch." Again, if you receive an auth request from Autolab, log in, but then restart the launch process. If you receive an error message along the lines of "state/nonce not correct" you may have been too slow to complete the launch flow. Otherwise, you should be viewing this page:

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have run rubocop for style check. If you haven't, run overcommit --install && overcommit --sign to use pre-commit hook for linting
• I have updated the documentation accordingly, included in this PR
  -> will update documentation in a later PR

To do: figure out why "already logged in" auth error shows up and interrupts launch flow

[damianhxy]

Steps successfully followed, although I think it's missing the step where we need to click the POST request button

[damianhxy]

Left some clarifying comments

[najclark]

Was able to follow the testing steps. PR looks good to me, besides the few things @damianhxy mentioned.

[20wildmanj]

Steps successfully followed, although I think it's missing the step where we need to click the POST request button

Updated documentation, either GET or POST works for the oidc_login