Platform Services - celtic-project/LTI-PHP GitHub Wiki

At present the LTI specifications do not include any services for platforms, but platforms are required to respond to service requests from tools. The main actions for platforms with respect to services are:

  1. issue an access token
  2. respond to an incoming service request

Whilst bespoke code can be used for these actions (especially for the second), the library does offer some assistance.

Issuing access tokens

The library is capable of generating an access token in the form of a signed JWT so that there is no need for these to be managed by the platform. For example:

{
  "sub": "<Client ID>",
  "iat": ...,
  "exp": ...,
  "imsglobal.org.security.scope": "https://purl.imsglobal.org/spec/lti-ags/scope/score"
}

The iat claim is the timestamp for when the access token was generated, and the exp claim is for when the access token is scheduled to expire. The life of an access token defaults to 1 hour (3600 seconds), but this can be changed as needed, for example, use the following line (before calling sendAccessToken) to make the life 2 hours:

Platform::$accessTokenLife = 7200;

For a platform which supports the LineItem and Score services, its endpoint for the access token service could use code such as:

...  // Initialise $platform variable

if ($platform->verifySignature()) {
  $platform->sendAccessToken([
    'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem',
    'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly',
    'https://purl.imsglobal.org/spec/lti-ags/scope/score'
  ]);
} else {
  Util::sendResponse('', '', 400, 'Bad Request');
}

The sendAccessToken method generates and returns an access token for all the requested scopes which are included in the array of supported scopes passed to it. If no supported scopes have been requested no access token will be generated and a 400 response will be returned.

Responding to service requests

Most of the code for responding to service requests will be bespoke, but the incoming request can be checked to ensure it has been authorised using code such as:

...

$allowedSscopes = [
  'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem',
  'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly'
];
if (!$platform->verifyAuthorization($allowedSscopes)) {
  Util::sendResponse('', '', 401, 'Unauthorized');
}

...

The verifyAuthorization method should be passed an array of the scope(s) which are used by this service. On completion, this array will only contain those scopes which were actually included in the access token. NB this method should only be used when the platform has issued access tokens generated by the sendAccessToken method (see above).

© 2025 Stephen P Vickers. All Rights Reserved.

⚠️ **GitHub.com Fallback** ⚠️