Implicit grants flow in LTI and Spring Security
11 views
Skip to first unread message
Markus Stetschnig
Jul 18, 2024, 11:33:07 AM (9 days ago) Jul 18
to saka...@apereo.org
Hi Sakaigers!
Recently I was trying to upgrade a the Spring Framework version for a
library that handles LTI 1.3 authentication flow for applications using
Spring Security. The pain point for the upgrade was that Spring Security
dropped support for the implicit grant OAuth2 flow. Behind the
deprecation lie security concerns and finally the deprecation of the
implicit grant in OAuth 2.1. There are alternatives to the implicit
grant flow, but to follow the LTI spec, it is required. Even though
security is not a big concern here, because risks are mitigated by using
a third party initiated login, I see it as problem because the broader
ecosystem seems to move away form an underlying specification of LTI.
I am bringing this up on the Sakai dev list, because I can imagine that
this Spring Security library for LTI authentication is in use by tools,
Sakai institutions are using and because I know that there are several
people in the Sakai community that know a lot about and work a lot with
the LTI specification. With regards to this, I have a few questions to you:
Is any progress or discussion to move away from implicit grants for the
LTI specification?
Do you know of any other frameworks, libraries, platforms or
specifications that are moving away from implicit grants or are running
into problems with it?
Are you using the library in question and what would you do without it?
Are you using any other libraries that help with LTI authentication for
Spring applications or Java applications in general?
If someone wants to dig deeper into what I was talking about:
LTI 1.3 library for Spring security:
https://github.com/oxctl/spring-security-lti13
Implicit grant required for platform originating messages:
https://www.imsglobal.org/spec/security/v1p1/#platform-originating-messages
Discussion with Spring Security team around this issue:
https://github.com/spring-projects/spring-security/issues/15111
Thanks and best regards.
--
-----------------------------------------------
Markus Stetschnig
Software developer at EDF
Website: https://www.edf.global
LinkedIn: https://linkedin.com/company/entornosdeformacion
Office Phone: +34 - 96 381 35 75
Mail policy: https://www.edf.global/en/mail-policy/
-----------------------------------------------
Recently I was trying to upgrade a the Spring Framework version for a
library that handles LTI 1.3 authentication flow for applications using
Spring Security. The pain point for the upgrade was that Spring Security
dropped support for the implicit grant OAuth2 flow. Behind the
deprecation lie security concerns and finally the deprecation of the
implicit grant in OAuth 2.1. There are alternatives to the implicit
grant flow, but to follow the LTI spec, it is required. Even though
security is not a big concern here, because risks are mitigated by using
a third party initiated login, I see it as problem because the broader
ecosystem seems to move away form an underlying specification of LTI.
I am bringing this up on the Sakai dev list, because I can imagine that
this Spring Security library for LTI authentication is in use by tools,
Sakai institutions are using and because I know that there are several
people in the Sakai community that know a lot about and work a lot with
the LTI specification. With regards to this, I have a few questions to you:
Is any progress or discussion to move away from implicit grants for the
LTI specification?
Do you know of any other frameworks, libraries, platforms or
specifications that are moving away from implicit grants or are running
into problems with it?
Are you using the library in question and what would you do without it?
Are you using any other libraries that help with LTI authentication for
Spring applications or Java applications in general?
If someone wants to dig deeper into what I was talking about:
LTI 1.3 library for Spring security:
https://github.com/oxctl/spring-security-lti13
Implicit grant required for platform originating messages:
https://www.imsglobal.org/spec/security/v1p1/#platform-originating-messages
Discussion with Spring Security team around this issue:
https://github.com/spring-projects/spring-security/issues/15111
Thanks and best regards.
--
-----------------------------------------------
Markus Stetschnig
Software developer at EDF
Website: https://www.edf.global
LinkedIn: https://linkedin.com/company/entornosdeformacion
Office Phone: +34 - 96 381 35 75
Mail policy: https://www.edf.global/en/mail-policy/
-----------------------------------------------
Reply all
Reply to author
Forward
0 new messages