The Basics of writing a Basic LTI Tool Provider

I hope this will be helpful for anyone just getting started with (Basic) LTI and wanting to create their first Tool Provider. Apologies for any abuse/misuse of the terminology – this is just how I understand it. To recap the two halves of an LTI launch:

Tool Consumer (TC) = An LTI-enabled VLE/LMS/other system that can make an LTI launch request. Generally (or at least the way we are using it), the TC manages user accounts/passwords, so that the Tool Provider doesn’t have to.
Tool Provider (TP) = an external tool that receives an LTI request from a TC and uses the launch data to work out what the user is able to see/do within the tool.

Useful links

I found the following useful when getting to grips with LTI and creating my first TP (in PHP):

Thanks of course to Dr Chuck and the rest of the LTI community for developing this specification and the above Classes, Tools and Tutorials.

Basic Implementation

The PHP Basic LTI class makes it very easy to do the LTI/OAuth bit of the TP. Here’s my pseudo-PHP code for the basic process:

//All of the LTI Launch data gets passed through in $_REQUEST
if(isset($_REQUEST['lti_message_type'])) {    //Is this an LTI Request?

    //We store oauth_consumer_key and secret pairs in our database, so we look the secret up here, but it can just be hard-coded (especially for testing)
    $secret = [secret];

    //Get BLTI class to do all the hard work (more explanation of these below)
    // - first parameter is the secret, which is required
    // - second parameter (defaults to true) tells BLTI whether to store the launch data is stored in the session ($_SESSION['_basic_lti_context'])
    // - third parameter (defaults to true) tells BLTI whether to redirect the user after successful validation
    $context = new BLTI($secret, true, false);

    //Deal with results from BLTI class 
    if($context->complete) exit(); //True if redirect was done by BLTI class
    if($context->valid) { //True if LTI request was verified
     //Let the user in
    }
}
else { //Not an LTI request, so either don't let this user in, or provide another way for them to authenticate, or show them only public content
}

Just to further explain the parameters passed when instantiating the BLTI class, the first argument is the secret, which is required and would usually be a string. Alternatively, you can pass through an associative array of database information (e.g. ‘table’ => ‘lti_keys’, ‘key_column’ => ‘oauth_consumer_key’), and the BLTI class will look up the secret from the database.

The second argument (true by default) tells the BLTI class whether to store the launch data in the session (from which it can be retrieved using $_SESSION[‘_basic_lti_context’]) and whether to try to automatically retrieve any stored LTI launch data if someone tries to access a tool without coming in through LTI. This means that if a user has initially come to a tool through LTI, then closes the browser tab containing the tool, and then goes directly back to the tool, without coming through LTI, as long as their session has not expired they will be allowed back into the tool, even though have not come through LTI. I would generally recommend keeping this as true, as I think this would usually be useful behaviour.

The third argument (true by default, but I generally set it to false) tells the BLTI class whether to do the redirect or not after validation of the request. Setting this to false will prevent it from doing the redirect.

I hope this is helpful. My understanding is pretty (cheap pun alert!) basic, so I would welcome any thoughts, queries, suggestions or corrections.

For further information/discussion of LTI, and how we have used it to allow access to our iCases system through WebLearn (our VLE), please see these posts:

11 Replies to “The Basics of writing a Basic LTI Tool Provider”

  1. Thanks for point me in the right direction. This is a total noob question, but where do I get the “secret” key as well as the “consumer” key Do I just generate them myself?

    1. Hi Eric,

      Yep, the Tool Provider (TP) defines and needs to store (e.g. in a database, or just hard coded while you’re getting started) both the key and secret. To start with I just made them up, but as a tool develops you may want to include a way for administrators to generate key/secret pairs.
      When you create a link to the TP from a Tool Consumer (TC), you have to enter a valid key/secret pair in the TC, so it can generate a signed request that the TP can validate.
      Hope that helps!
      Jon

  2. Thanks for simplifying this. I am a tool provider and needed to integrate it into a tool consumer. If possible, could you please share the PHP files that just do the basic authorization and allow a valid user to access my app content? I do not need any other features except the simple basic authorization and launch validation. I just plan to hardcode the secret code as well…I am lost searching through the web for Tool provider PHP code as they contains lots of details & information and am not able to get the very simple stuff that I wanted…please help.

    1. Hi Ravindra,

      The code snippet in the post and the Basic LTI PHP Class files (see the Useful Links) are all that you need. $context = new BLTI($secret); calls the Basic LTI Class and does the authentication stuff. If authentication was successful, then $context->valid === true and this is all you need to check to ensure that the user has come to your app through a valid LTI request.

      Hope that makes sense!

      Jon

  3. Jon,

    One silly question, My app is launching only if I delete a redirect being done by the BLTI class from lines 166 to 171 ( as below)
    if ( $this->valid && $doredirect ) {
    $host = $_SERVER[‘HTTP_HOST’];
    $uri = $_SERVER[‘PHP_SELF’];
    header(“Location: http://$host$uri“);
    $this->complete = true;
    }
    Could you please throw some light as to why this redirect is happening?

    1. Hi Ravindra,

      I think that must be something I discovered after I’d written this post, but didn’t then update the post, so thanks for making me think about it a bit more – I will update the post shortly.

      The default behaviour of the BLTI class is to redirect the user after doing the LTI validation, and this is what those lines are doing. You can switch the redirection off by passing extra arguments to the BLTI class (you can see the arguments that the BLTI constructor will accept on line 70 of BLTI.php), as follows:

      $context = new BLTI($secret, true, false);

      The third argument (false above) tells the BLTI class whether to do the redirect or not. Setting this to false will prevent it from doing the redirect.

      Just to explain for completeness, the second argument (true above, and true by default) tells the BLTI class whether to store the launch data in the session and try to retrieve any stored LTI launch data if someone tries to access a tool without coming in through LTI. This means that if a user has initially come to a tool through LTI, then closes the browser tab containing the tool, and then goes directly back to the tool, without coming through LTI, as long as their session has not expired they will be allowed back into the tool, even though have not come through LTI. I would generally recommend keeping this as true, as I think this would usually be useful behaviour.

      I hope that all makes sense!

      Jon

  4. I’m trying to set up my first LTI tool for Canvas and this has been a great help. I am confused about the “redirect”. If I follow the code, the BLTI seems to be sending the browser to the same PHP page it started on. Is there a code example that clarifies how this works? Sorry for the n00b question, but hopefully clarification can save other lost souls down the road.

  5. I want to generate the same oauth_signature, that I received from LTI website using moodle, in parameters.

    When I used lms.php , tool.php and tool_consumer_outcome.php file click launch, passing the parameters I received, It did not generate the same oauth_signature.

    Any one help?

Leave a Reply to jonm Cancel reply

Your email address will not be published. Required fields are marked *