Assignments and Grades integration in Moodle LMS - LTI 1.3 (With client_credentials base OAuth 2.0)


Moodle is the world’s most popular and most used learning management system. It’s easy to see why, the Moodle Learning Management System (LMS) is a flexible, open-source, and free to download learning management solution.

This article describes how we need to work with moodle APIs in order to manipulate assignments and grades. These details are specific to LTI 1.3 standards and using client credential base OAuth 2.0

In LTI 1.3 flow, the main part is OAuth 2.0. When we work with moodle APIs, it needs to send the access token along with each API call. That means before work with the end-points we have to have the access token with us. This article specifies the client credential base assess token and to get that access token we need an external tool in Moodle LMS. 

Let's see the process step by step....

 This process can be divided into three parts. 
  • Create an external tool in Moodle. 
  • Generate access token.
  • Manipulate assignments and grade APIs. 
1) Create an external tool in Moodle. 

As I mentioned earlier, to work with Moodle APIs we need an access token. For generating that access token there should be an external tool in Moodle LMS. After creating the external tool, moodle will provide a Client ID. In addition to that we need to provide a public key when we are creating the external tool, for decrypting the data that has been sent in order to get the token. It needs to send some details as a JWT with signed by our private key. Then moodle will decrypt the data by using the public key that we have provided. 

Let's see how to create an LTI 1.3 external tool in Moodle. 
  1. Login as an Admin to Moodle.
  2. Click on Site Administration> Plugins> External tool> Manage tools
  3. Click on "configure a tool manually" option.
  4. Enter below:
    - Tool name
    - Tool URL
    - LTI version: Select LTI 1.3
    - Public Key
    - Initiate login URL
    - Redirection URI(s)
    - Tool configuration usage: Default launch container
  5. Click on "Save changes" button
  6. The tool will appear in the Tools list
  7. Click on the icon of View Configuration details and the details are available there
    • Platform ID
    • Client ID
    • Deployment ID
    • Public keyset URL
    • Access token URL
    • Authentication request URL

Key Points :- 
    
    The public key should be in this format. 

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0B........public_key_string
-----END PUBLIC KEY-----



2) Generate access token.

To work with assignment and grade endpoints, it is essential to have the access token and needs to be sent along with each API call. This article will discuss the way how we can generate the client credential base access token. 

Let's see how to generate client credential base access token. 

The Moodle access token endpoint:- http://<<url_of_moodle_instant>>.com/moodle38/mod/lti/token.php
This endpoint will shows in the external tool details that we have created. 

Content-type :- application/x-www-form-urlencoded

Request body to get access token. 

grant_type : client_credentials
client_assertion_type : urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion : XXXXX... (JWT signed by private key)
scope : https://purl.imsglobal.org/spec/lti-ags/scope/lineitem https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly https://purl.imsglobal.org/spec/lti-ags/scope/score



client_assertion

Client assertion is a JWT(java web token) signed with the private key. This token will decrypt in the moodle side using the public key which has provided when we are creating the external tool. To create this JWT we have to use specific details and signed with the private key. The encryption mechanism is RSA256.

These are the values used to generate the JWT.

{
    "iss": "https://example.com",
    "iat": 1580200798,
    "exp": 1611736798,
    "aud": "http://expample_moodle_instant.com/moodle38/mod/lti/token.php",
    "sub": "10000000001166"
}

iss :- Issuer (Domain of the application which requests the access token) 
iat :-  Token generated time
exp :- Token expiration time
and :- Audience (URL that we use to get the access token) 
sub :- Client ID (client ID provided by the moodle after the external tool creation)

We can use www.jwt.io to generate this JWT manually. 




When we call this API, moodle will decrypt the JWT token and do the validations. If the provided details are valid, Moodle will provide the access token relevant to the client ID and requested scope. Using that access token we can manipulate Moodle assignments and grade endpoints. 


3) Manipulate assignment and grade APIs.

To manipulate assignments and grade APIs it is needed to have the access token given by Moodle. Also, there are specific content-types that are related to IMS standards. This content type is very important to work with the APIs.  


Get Assignment (get lineItem) 

API :- http://<<example-moodle-instant>>.com/moodle38/moodle38/mod/lti/services.php/80028/lineitems/53/lineitem
Method :- GET
Authentication :- Bearer token


Create Assignment (create lineItem) 

API :- http://<<example-moodle-instant>>.com/moodle38/mod/lti/services.php/80028/lineitems?type_id=19
Method :- POST
Content-type :- application/vnd.ims.lis.v2.lineitem+json
Authentication :- Bearer token
Sample body:-

    {
    "id""123",
    "scoreMaximum"100,
    "label""CreateAssignmentTest"
    }

Update Assignment (update lineItem) 

API :- http://<<example-moodle-instant>>.com/moodle38/mod/lti/services.php/80028/lineitems/107/lineitem?type_id=19
Method :- PUT
Content-type :- application/vnd.ims.lis.v2.lineitem+json
Authentication :- Bearer token
Sample body:-

    {
    "id""123",
    "scoreMaximum"150,
    "label""Tesing123",
    "tag""MyTag"
    }


Delete Assignment (delete lineItem) 

API :- http://<<example-moodle-instant>>.com/moodle38/mod/lti/services.php/80028/lineitems/90/lineitem?type_id=19
Method :- DELETE
Authentication :- Bearer token


Grade Sync

API :- http://<<example-moodle-instant>>.com/moodle38/mod/lti/services.php/80037/lineitems/71/lineitem/scores?type_id=19
Method :- PUT
Content-type :- application/vnd.ims.lis.v1.score+json
Authentication :- Bearer token
Sample body:-

    {
    "timestamp": "2020-12-10T18:54:36.736+00:00",
    "scoreGiven": 8,
    "scoreMaximum": 100,
    "comment": "This is exceptional work.",
    "activityProgress": "Completed",
    "gradingProgress": "FullyGraded",
    "userId": "80056"
    }

Get Grade Result  (get lineItem) 

API :- http://<<example-moodle-instant>>.com/moodle38/mod/lti/services.php/80037/lineitems/90/lineitem/results/?type_id=19
Method :- GET
Authentication :- Bearer token

These are the main assignments and grades APIs in Moodle related to LTI 1.3. I hope that, this article will helpful for integrating an application with Moodle LMS. 

Comments

Post a Comment

Popular posts from this blog

Image
How to link WebStorm IDE with GitHub windows application The main advantage of link WebStrom with GitHub windows application is you can do the version controlling directly through the WebStorm IDE. When you are doing a project  using WebStorm IDE you can use git command which are use to version controlling in the IDE it self, if you have linked with GitHub windows application. Now will see how to link WebStorm IDE with GitHub windows application.. step 1) Install WebStorm IDE. step 2) install GitHub windows application and clone with the project which is  in the GitHub or GitLab repository. step 3) Open that project using WebStorm. IF you have done those three step already follow these steps to link WebStorm and GitHub windows application. step 4) Go to this file path and copy it.           C drive -> Users -> <your user file> -> Appdata -> Local ->            GitHub ->   PortableGit_f02737a78695063deace08e96d50
Read more

Cross Site Request Forgery Protection

Image
Cross Site Request Forgery Protection PHP web application What is CSRF (Cross Site Request Forgery protection) ?  Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. In this blog I will be discuss about two prevention methods for CSRF.        
Read more