Key management

LTI messages are signed by key-pairs (private and public key), and django-lti provides helpers for generating and managing keys.

The Key model

In django-lti, keys are stored in the database using the Key model. During typical usage, there is no need for an application to use the Key model directly. Instead, keys can be generated and deactivated using a management command.

Rotating keys

Keys can be rotated using the rotate_keys management command. The --deactivate_after option may be specified to indicate the amount of days after which keys should be deactivated.

If desired, a cronjob can be configured to rotate and deactivate keys on a regular schedule.

0 0 * * 0 /path/to/python /path/to/manage.py rotate_keys

Exposing a key set URL

Tools must make their public keys available to platforms through a key set URL. The jwks() view is provided by django-lti for this purpose.

from lti_tool.views import jwks

urlpatterns = [
    path(".well-known/jwks.json", jwks, name="jwks"),
    ...
]

Resources

Details of how key-pairs are used by LTI tools are described in the 1EdTech Security Framework.

• Securing Web Services

• Message Security and Message Signing

• Key Management