Core library interfaces
Depending on the top level services you want to use, you have to provide your own implementation of the following interfaces.
Mandatory interfaces
This section present the mandatory interfaces from the library to be implemented to use provided services.
Registration repository interface
Required by: - Message - Service
In order to be able to retrieve your registrations from your configuration storage, you need to provide an implementation of the RegistrationRepositoryInterface.
For example:
<?php
use OAT\Library\Lti1p3Core\Registration\RegistrationInterface;
use OAT\Library\Lti1p3Core\Registration\RegistrationRepositoryInterface;
$registrationRepository = new class implements RegistrationRepositoryInterface
{
public function find(string $identifier): ?RegistrationInterface
{
// TODO: Implement find() method to find a registration by identifier, or null if not found.
}
public function findAll(): array
{
// TODO: Implement findAll() method to find all available registrations.
}
public function findByClientId(string $clientId) : ?RegistrationInterface
{
// TODO: Implement findByClientId() method to find a registration by client id, or null if not found.
}
public function findByPlatformIssuer(string $issuer, string $clientId = null): ?RegistrationInterface
{
// TODO: Implement findByPlatformIssuer() method to find a registration by platform issuer, and client id if provided.
}
public function findByToolIssuer(string $issuer, string $clientId = null): ?RegistrationInterface
{
// TODO: Implement findByToolIssuer() method to find a registration by tool issuer, and client id if provided.
}
};
createTestRegistrationRepository() of the DomainTestingTrait.
User authenticator interface
Required by: Message
During the OIDC authentication handling on the platform side, you need to define how to delegate the user authentication by providing an implementation of the UserAuthenticatorInterface.
For example:
<?php
use OAT\Library\Lti1p3Core\Registration\RegistrationInterface;
use OAT\Library\Lti1p3Core\Security\User\UserAuthenticatorInterface;
use OAT\Library\Lti1p3Core\Security\User\Result\UserAuthenticationResultInterface;
$userAuthenticator = new class implements UserAuthenticatorInterface
{
public function authenticate(
RegistrationInterface $registration,
string $loginHint
): UserAuthenticationResultInterface {
// TODO: Implement authenticate() method to perform user authentication (ex: session, LDAP, etc)
}
};
- you can find a simple implementation example of this interface in the method
createTestUserAuthenticator()of the SecurityTestingTrait. - you can find a ready to use
UserAuthenticationResultInterfaceimplementation is available in UserAuthenticationResult
Optional interfaces
This section present the optional interfaces from the library you can implement, but for which a default implementation is already provided.
Nonce repository interface
Default implementation: NonceRepository
In order to be able to store security nonce the way you want, you can provide an implementation of the NonceRepositoryInterface.
For example:
<?php
use OAT\Library\Lti1p3Core\Security\Nonce\NonceInterface;
use OAT\Library\Lti1p3Core\Security\Nonce\NonceRepositoryInterface;
$nonceRepository = new class implements NonceRepositoryInterface
{
public function find(string $value) : ?NonceInterface
{
// TODO: Implement find() method to find a nonce by value, or null if not found.
}
public function save(NonceInterface $nonce) : void
{
// TODO: Implement save() method to save a nonce (cache, database, etc)
}
};
JWKS fetcher interface
Default implementation: JwksFetcher
In order to be able to fetch public keys JWK from configured JWKS endpoint, you need to provide an implementation of the JwksFetcherInterface.
For example:
<?php
use OAT\Library\Lti1p3Core\Security\Jwks\Fetcher\JwksFetcherInterface;
use OAT\Library\Lti1p3Core\Security\Key\KeyInterface;
$fetcher = new class implements JwksFetcherInterface
{
public function fetchKey(string $jwksUrl, string $kId) : KeyInterface
{
// TODO: Implement fetchKey() method to find a Key via an HTTP call to the $jwksUrl, for the kid $kId.
}
};
- it is recommended to put in cache the JWKS endpoint responses, to improve performances since they don't change often. Your implementation can then rely on a cache by example.
- the ready to use JwksFetcher works with a guzzle client to request JWKS data, a PSR6 cache to cache them, and a PSR3 logger to log this process.
LTI platform message launch validator interface
Default implementation: PlatformLaunchValidator
To customise platform message launch validation, an implementation of the PlatformLaunchValidatorInterface can be provided.
LTI tool message launch validator interface
Default implementation: ToolLaunchValidator
To customise tool message launch validation, an implementation of the ToolLaunchValidatorInterface can be provided.
LTI service client interface
Default implementation: LtiServiceClient
In order to send authenticated service calls, an implementation of the LtiServiceClientInterface can be provided.
For example:
<?php
use OAT\Library\Lti1p3Core\Service\Client\LtiServiceClientInterface;
use OAT\Library\Lti1p3Core\Registration\RegistrationInterface;
use Psr\Http\Message\ResponseInterface;
$client = new class implements LtiServiceClientInterface
{
public function request(RegistrationInterface $registration, string $method, string $uri, array $options = [], array $scopes = []) : ResponseInterface
{
// TODO: Implement request() method to manage authenticated calls to services.
}
};
- it is recommended to put in cache the service access tokens, to improve performances. Your implementation can then rely on an injected PSR6 cache by example.
LTI service server access token generator interface
Default implementation: AccessTokenResponseGenerator
To customise access token generation, an implementation of the AccessTokenResponseGeneratorInterface can be provided.
LTI service server access token validator interface
Default implementation: RequestAccessTokenValidator
To customise access token validation, an implementation of the RequestAccessTokenValidatorInterface can be provided.
LTI service server client repository interface
Default implementation: ClientRepository
In order to retrieve and validate clients involved in authenticated service calls, an implementation of the ClientRepositoryInterface can be provided.
Notes:
- the default
ClientRepositoryinjects theRegistrationRepositoryInterfaceto be able to expose your platforms as oauth2 providers and tools as consumers. - in case of the consumer tool public key is not given in the registration, it will automatically fallback to a JWKS call.
LTI service server access token repository interface
Default implementation: AccessTokenRepository
In order to store service calls access tokens, an implementation of the AccessTokenRepositoryInterface can be provided.
Note: the default AccessTokenRepository implementation rely on a PSR6 cache to store generated access tokens.
LTI service server scope repository interface
Default implementation: ScopeRepository
In order to retrieve and finalize scopes during grants, an implementation of the ScopeRepositoryInterface can be provided.
Note:
- the default
ScopeRepositorywill just provide back scopes given at construction.
Id generator interface
Default implementation: IdGenerator
To customise overall id generation, an implementation of the IdGeneratorInterface can be provided.
Note:
- the default
IdGeneratorgenerates UUIDv4.
JWT interface
Default implementation: Token
To customise JWT handling, an implementation of the TokenInterface can be provided.
JWT builder interface
Default implementation: Builder
To customise JWT creation, an implementation of the BuilderInterface can be provided.
JWT parser interface
Default implementation: Parser
To customise JWT parsing, an implementation of the ParserInterface can be provided.
JWT validator interface
Default implementation: Validator
To customise JWT validation, an implementation of the ValidatorInterface can be provided.