Django 4.1 will be released on or around August 3.

Documentation of related Sphinx features:

• https://www.sphinx-doc.org/en/master/usage/extensions/autodoc.html
• https://www.sphinx-doc.org/en/master/usage/restructuredtext/domains.html

Possibly useful examples:

• https://github.com/aaugustin/django-sesame/blob/main/docs/reference.rst
• https://github.com/joke2k/django-environ/blob/main/docs/api.rst

It seems like it might be useful to create a Django Authentication Backend to allow apps to authenticate users based on LTILaunch information.

The backend might be something as simple as:

from django.contrib.auth.backends import BaseBackend

class LtiLaunchAuthenticationBackend(BaseBackend):
    def authenticate(self, request, lti_launch=None):
        return lti_launch.user.auth_user

Spec available at https://www.imsglobal.org/spec/lti-dr/v1p0

Defines a way to automate the exchange of registration information between platforms and tools that use the OpenId Connect and oAuth 2 registration flows, allowing platform administrators to automate tool registrations and avoid tedious and possibly error prone manual configuration while remaining in control of granting or denying tools access to the platform.

Notably, support for Django 3.2 LTS ended on April 1st, 2024.

Via @doreilly

This is definitely not important for now, but it might be nice to consider whether this is worthwhile to be represented as a Namedtuple. I'm imagining a time where we might want to expose that to a frontend as a dictionary/ESObject, or maybe we want to do a test to see if we're only allowed to be x pixels wide, and destructuring a tuple might be a little strange compared to an attribute access.

Seeing these warnings during the packaging workflow.

Warning: Input 'repository_url' has been deprecated with message: The inputs have been normalized to use kebab-case. Use `repository-url` instead.
Warning: Input 'skip_existing' has been deprecated with message: The inputs have been normalized to use kebab-case. Use `skip-existing` instead.

Appears to originate here...

This will mainly just be adding 3.11 to the text matrix, but there may also be some issues with our use of Enums.

This value can optionally be provided by the platform, in which case it will be used by the tool when requesting an auth token.

At a minimum...

• Syncing lineitems
• Creating lineitems
• Syncing results
• Sending a score to a lineitem

The LtiMembership.normalize_role method feels like it should probably be a function in utils or similar.

The public/private key fields in the RegistrationAdmin are not frequently used, so they should be added to a fieldset to reduce confusion.

Test publishing workflow does not seem to be honoring the skip-existing input. See pypa/gh-action-pypi-publish#201.

This library should allow applications to specify custom behavior for handling and activating new deployments.

There should be a new enum constant for system roles.

Django 5.0 final release is planned for December 4.

In Canvas it is possible to add multiple placements of a tool to a single course, but using different deployment IDs. While this isn't recommended behavior, it isn't contrary to the description of context.id in the spec.

id (REQUIRED). Stable identifier that uniquely identifies the context from which the LTI message initiates. The context id MUST be locally unique to the deployment_id. It is recommended to also be locally unique to iss (Issuer). The value of id MUST NOT exceed 255 ASCII characters in length and is case-sensitive.

Two contexts with the same ID currently cause launches to fail during retrieval of LtiLaunch.membership.

This library could provide default forms and views for platform configuration, similar to how django.contrib.auth provides built-in forms and built-in views.

PyPI has introduced trusted publishing via a GitHub action. An example setup is described at https://pgjones.dev/blog/trusted-plublishing-2023/.

Canvas appears to send the placement from which a tool was launched in the https://www.instructure.com/placement claim.

There should be a new enum constant for institution roles.

This library could use the LTI 1.1 migration claim in a few ways.

1. Add fields for LTI 1.1 IDs to LtiUser, LtiContext, and LtiPlatformInstance
2. Sync those fields when the LTI 1.1 migration claim is present in a launch
3. Add methods to LtiLaunch to retrieve oauth_consumer_key and its verification status

First of all, I would like to thank you for your work on this package. We've been using it for a little while at the company I work for, and are very happy with it.

Also, if you just want to read my question, read the last paragraph ;)

Background

The Cookie Problems

Third-party cookies are being blocked by web browsers. By my tests on macOS, at least Safari and Chrome block the cookies. Cookies are being used in the OpenID Connect flow to keep track of the state (in PyLTI1.3), and the fact that there are issues is being acknowledged by the developer of PyLTI1.3. Unfortunately, the mentioned fixes do not work for deep linking, which seems to be needed to be opened in an iframe.

The solutions provided by 1EdTech (still in review and comment status)

As you might know, the solution provided by the proposed specification is to use postMessages.
The specifications, copied and pasted from 1EdTech:
OIDC Login with LTI Client Site PostMessages (start here)
LTI Client Side postMessages
LTI postMessage Storage

Maintainer difficulties PyLTI1.3

The current maintainer of PyLTI1.3 indicated that he does not have time for implementing new features, and that also seems to be the case for reviewing PRs, as you can see with #3 and the PR that has been made upstream.

Implementation of the postMessage solution

At my work, we're trying to patch some classes and implement the postMessage solution ourselves. Although I must admit that the implantation is very much incomplete at this moment. We're willing to collaborate on it, and/or write the code and try to push that code upstream, and make sure it's available for the open-source community.

I guess the main question that we have is: Have you already had a look at the postMessage specification, and have you been thinking of implementing it in this repo? Especially, as probably creating a PR in PyLTI1.3 won't be merged.

Another source on this matter: unicon.net

Currently to make Django projects embeddable within an LMS, we need to disable the django.middleware.clickjacking.XFrameOptionsMiddleware middleware. This eliminates a barrier, but opens the site up to potential clickjacking attacks. The more flexible and recommended way of handling these security restrictions is to use Content-Security-Policy headers, with frame-ancestors listing allowable domains. It might be a good idea to have some functionality built into our library to automatically generate the list of allowable domains with the set of active platforms or registrations.

We can provide a view or utility to help applications generate a JSON tool configuration appropriate for Canvas.

The test-publish job will fail with running from a fork.

To (hopefully) allow workflows to run on PRs from forks.

It would be useful to build a Django Debug Toolbar Panel that would display LTI Launch contents.

The test-publish job fails on PRs from dependabot forks (and probably all forks).

Notice: Attempting to perform trusted publishing exchange to retrieve a temporary short-lived API token for authentication against https://test.pypi.org/legacy/ due to __token__ username with no supplied password field
Error: Trusted publishing exchange failure: 
OpenID Connect token retrieval failed: GitHub: missing or insufficient OIDC token permissions, the ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variable was unset

This generally indicates a workflow configuration error, such as insufficient
permissions. Make sure that your workflow has `id-token: write` configured
at the job level, e.g.:

permissions:
  id-token: write

Learn more at https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.

We should add a new enum constant for the non-depreciated items in the context type vocabulary. Internally we can make use of this in utils.sync_context_from_launch.