Scopes Table used in LTI Advantage tools?

Judit.T.2921 · March 25

We are developing a tool that is registered as an LTI Advantage.

In this tool we authenticate and authorize the user, then we try to call some API endpoints (with the authorization header applied).

To be able to call our selected API endpoints, we have to authorize the user specifying the right scopes.

Our question is:

How do we know which scopes we need to specify for the authorization?

Isn’t there a scopes table listing pairs of scopes and endpoints like for projects that are registered as OAuth 2.0 applications? https://docs.valence.desire2learn.com/http-scopestable.html

Bhoomika.M.5897 · March 28

Hi @Judit.T.2921 ,

Thanks for reaching out to us through the community!!

All API calls have OAuth2 Scopes defined near the details of each API call explanation. Please refer to those sections for the required scope information.
For example : https://docs.valence.desire2learn.com/res/enroll.html#delete--d2l-api-lp-(version)-enrollments-orgUnits-(orgUnitId)-users-(userId)

You can also find more details on the scope by referring to the below document: https://docs.valence.desire2learn.com/basic/oauth2.html

Please feel free to update if you have further questions or concerns.

Thanks
Bhoomika

Judit.T.2921 · March 28

Hi Bhoomika,

Thank you for the answer. I think the scopes that you are suggesting me can be used when you have a tool that is registered as an OAuth 2.0 application and you use the 'authorization_code' approach to obtain the access token. But this is not my case.

I might be wrong but based on my experiences it seems to me that when the tool is registered as an LTI Advantage and we are using the 'client_credentials' approach to obtain the access token, then we have to use the security scopes that follow the IMS Global (1EdTech) standards: https://www.imsglobal.org/spec/security/v1p0/#h_scope-naming-conventions

As an example, the following code successfully gives me an access token. It authorizes my user with such scopes that give me access to an array of line items if I call the `https://${instance}.brightspace.com/d2l/api/lti/ags/2.0/deployment/${deploymentId}/orgunit/${orgUnit}/lineitems` endpoint.

const payload = {

grant_type: 'client_credentials',

client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',

client_assertion: token, // (*)

scope: [

'https://purl.imsglobal.org/spec/lti-ags/scope/score',

'https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly',

'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem',

].join(‘ ’)

};

const accessTokenResponse = await fetch('https://auth.brightspace.com/core/connect/token', {

method: 'POST',

headers: { 'Content-Type': 'application/x-www-form-urlencoded' },

body: new URLSearchParams(payload),

});

/* (*)

The token contains the followings in its payload:

{

iss: clientId,

sub: clientId,

aud: 'https://api.brightspace.com/auth/token',

iat: now,

nbf: now,

jti: crypto.randomBytes(16).toString('hex'),

};

*/

But my problem is that I am not interested in these line items. I would like to be able to call other endpoints for which I need to have my user be authorized with those scopes that are required by those endpoints. But it is really difficult to figure out what scopes I need for which endpoint.

I hope you will find the above explanation helpful.

Julia.P.6519 · April 3

Hi @Judit.T.2921 - thanks for reaching out to Brightspace Community!

Since there is another thread on the Developers Group with a similar question, we will close this thread to avoid duplication. Please refer below for your latest response :)

https://community.d2l.com/discussion/7231/scopes-table-for-lti-advantage-tools-that-use-client-credentials-flow

Thank you!

Scopes Table used in LTI Advantage tools?

Answers

Categories