OIDC Initiation#

LTI launches use the OIDC third-party initiation flow as a security measure to prevent CSRF attacks. As a part of this workflow, an LTI tool must:

Receive an initiation request from a registered platform.
Respond with a properly formed authentication request.

Handling an initiation request#

To handle an initiation request from an LTI platform, django-lti provides OIDCLoginInitView, which can be used as-is in a Django project to return an authentication request to the platform

# ...
from lti_tool.views import OIDCLoginInitView

urlpatterns = [
    path("init/<uuid:registration_uuid/", OIDCLoginInitView.as_view(), name="init"),
    # ...
]

The registration_uuid parameter is a reference to the LtiRegistration.uuid property, and is used to identify the platform registration associated with the initiation request.

Customizing language for blocked cookies#

When the user’s browser prevents embedded content from setting cookies within an iframe, the module displays a message about it and a link to open the content in a new tab or window. The language of the message and link may be customized using optional message arguments to OIDCLoginInitView.as_view()…

# ...
from lti_tool.views import OIDCLoginInitView

urlpatterns = [
    path("init/<uuid:registration_uuid/", OIDCLoginInitView.as_view(
        main_msg=(
            "Your browser prevents embedded content from using cookies.  To work "
            "around this, the content must be opened in a new tab or window.  "
        ),
        click_msg="Open a new tab or window now.",
        loading_msg="Loading..."
    ), name="init"),
    # ...
]

The main_msg, click_msg, and loading_msg optional arguments are passed to DjangoOIDCLogin.enable_check_cookies() to generate messages shown in the UI. The values shown here are the default values used by OIDCLoginInitView. If cookies are not allowed by the browser, the value of main_msg will be shown. That will be followed by a link with label containing the value of click_msg, which opens the content in a new tab or window.

Customizing the authentication request#

By default, the response from OIDCLoginInitView will use the target_link_uri from the request as the redirect_uri. If the application requires the use of a different redirect_uri it can be provided by overriding the get_redirect_url() method.

class CustomLoginInitView(OIDCLoginInitView):
    def get_redirect_url(self, target_link_uri):
        return "https://my.tool/some/custom/path/"

Resources#

OpenID Connect Launch Flow Overview described in the 1EdTech Security Framework.
Additional login parameters described by the LTI 1.3 Core Specification.
LTI 1.3 Security and OpenID Connect explains the CSRF vulnerability that is addressed by the third-party initiation flow.