{"id":37021060,"url":"https://github.com/kstateome/lti-launch","last_synced_at":"2026-01-14T02:28:22.399Z","repository":{"id":23184348,"uuid":"49009126","full_name":"kstateome/lti-launch","owner":"kstateome","description":"Java framework for authenticating LTI launch requests from the Canvas LMS","archived":false,"fork":false,"pushed_at":"2024-09-26T21:51:44.000Z","size":206,"stargazers_count":14,"open_issues_count":6,"forks_count":14,"subscribers_count":26,"default_branch":"master","last_synced_at":"2025-07-23T16:59:55.326Z","etag":null,"topics":["canvas-lms","java","lti"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kstateome.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"License.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-01-04T16:33:39.000Z","updated_at":"2025-07-15T13:52:17.000Z","dependencies_parsed_at":"2022-07-27T03:47:25.998Z","dependency_job_id":null,"html_url":"https://github.com/kstateome/lti-launch","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/kstateome/lti-launch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kstateome%2Flti-launch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kstateome%2Flti-launch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kstateome%2Flti-launch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kstateome%2Flti-launch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kstateome","download_url":"https://codeload.github.com/kstateome/lti-launch/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kstateome%2Flti-launch/sbom","scorecard":{"id":571632,"data":{"date":"2025-08-11","repo":{"name":"github.com/kstateome/lti-launch","commit":"3b8c9b7899d04ecfd78047df7c799ce8255e684b"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/maven.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/kstateome/lti-launch/maven.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/maven.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/kstateome/lti-launch/maven.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/maven.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/kstateome/lti-launch/maven.yml/master?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":2,"reason":"Found 5/18 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/maven.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: License.txt:0","Info: FSF or OSI recognized license: GNU Lesser General Public License v3.0: License.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 21 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"25 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-4jrv-ppp4-jm57","Warn: Project is vulnerable to: GHSA-5mg8-w23w-74h3","Warn: Project is vulnerable to: GHSA-7g45-4rm6-3mm3","Warn: Project is vulnerable to: GHSA-j288-q9x7-2f5v","Warn: Project is vulnerable to: GHSA-mmf6-6597-3v6m","Warn: Project is vulnerable to: GHSA-q3v6-hm2v-pw99","Warn: Project is vulnerable to: GHSA-mg83-c7gq-rv5c","Warn: Project is vulnerable to: GHSA-c4q5-6c82-3qpw","Warn: Project is vulnerable to: GHSA-36p3-wjmg-h94x","Warn: Project is vulnerable to: GHSA-hh26-6xwr-ggv7","Warn: Project is vulnerable to: GHSA-4gc7-5j7h-4qph","Warn: Project is vulnerable to: GHSA-4wp7-92pw-q264","Warn: Project is vulnerable to: GHSA-g5mm-vmx4-3rg7","Warn: Project is vulnerable to: GHSA-558x-2xjg-6232","Warn: Project is vulnerable to: GHSA-564r-hj7v-mcr5","Warn: Project is vulnerable to: GHSA-9cmq-m9j5-mvww","Warn: Project is vulnerable to: GHSA-wxqc-pxw9-g2p8","Warn: Project is vulnerable to: GHSA-2rmj-mq67-h97g","Warn: Project is vulnerable to: GHSA-2wrp-6fg6-hmc5","Warn: Project is vulnerable to: GHSA-4wrc-f8pq-fpqp","Warn: Project is vulnerable to: GHSA-ccgv-vj62-xf9h","Warn: Project is vulnerable to: GHSA-hgjh-9rj2-g67j","Warn: Project is vulnerable to: GHSA-cx7f-g6mp-7hqm","Warn: Project is vulnerable to: GHSA-g5vr-rgqm-vf78","Warn: Project is vulnerable to: GHSA-w3c8-7r8f-9jp8"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T16:29:58.035Z","repository_id":23184348,"created_at":"2025-08-20T16:29:58.035Z","updated_at":"2025-08-20T16:29:58.035Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28408711,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T01:52:23.358Z","status":"online","status_checked_at":"2026-01-14T02:00:06.678Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["canvas-lms","java","lti"],"created_at":"2026-01-14T02:28:21.861Z","updated_at":"2026-01-14T02:28:22.392Z","avatar_url":"https://github.com/kstateome.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# LTI Launch\n\nLTI Launch is a project designed to assist in the development of Java based LTI applications that work with the Canvas LMS. It provides functionality to authenticate the OAuth signature of an LTI launch request and handle the OAuth 2 user token exchange if needed for communicating with the Canvas API. After the launch request is verified, the user is forwarded to an initial view specified by the implementing application.\n\n### Technologies Used\n\n- Java 11\n- Maven (Compatible with 3.5.2, requires 3.1+)\n- Spring MVC 4.1.6\n- Spring Security OAuth\n- Google GSON\n- Apache HTTP Client\n\n### Set Up\n\nThe LTI Launch project provides a number of interfaces that must be implemented in order for it to function in any given project, as well as a few beans that must be candidates for Spring Autowiring in the LTI application that wishes to use it. As an example you can look at [a trivial LTI application](https://github.com/kstateome/lti-launch-example-webapp) which has the minimal setup for an LTI application launch. For a more complicated application you can also look at our [attendance taking LTI application](https://github.com/kstateome/lti-attendance)\n\nAfter adding this project as a Maven dependency, you will need to implement each of the required Interfaces, which can be found in the `edu.ksu.lti.launch.service` package:\n\n- ConfigService\n  - This is a simple key/value lookup service for retrieving configuration items that the applicatin needs. It must provide values for the following keys:\n    - `canvas_url` - The first valid base canvas URL this instance can talk to (e.g. https://k-state.instructure.com)\n    - `canvas_url_2` - The second base canvas URL this instance can talk to. For example if you have a vanity URL like https://canvas.k-state.edu. It can be blank if there is no second canvas URL.\n    - `oauth_client_id` - The OAuth Client ID for the application\n    - `oauth_client_secret` - The OAuth Client Secret for this application\n- LtiLaunchKeyService\n  - A service that is able to take an application launch key and return the associated shared secret.\n- OauthTokenService\n  - A service that can handle the persisting and retrieving of user OAuth refresh tokens\n\nThe implementations of these interfaces need to be set up as Spring beans so that they can be autowired into your application. In addition, there also needs to be a `canvasDomain` bean which is simply a string defining the primary Canvas domain to be used for API calls and OAuth purposes. Usually this will be the same as `canvas_url` above.\n\n### Usage\n\nNow that the application is configured, create a Spring controller which extends `LtiLaunchController`. This is an abstract class that provides a method which handles the initial LTI launch request, sets up some user information in a new session and then forwards the user to an initial page which you define by implementing the `getInitialViewPath()` method. The initial launch method in `LtiLaunchController` is mapped to the URL `/launch` within the application context.\n\nThe launch process sets up an `LtiSession` object in the HTTP session. The service class `LtiSessionService` can be autowired into your controller classes and used to get the LTI session. The LTI session holds all of the LTI launch data that comes in the launch POST request. This includes information about the user who launched the application and the context from which it was launched. If your application needs to interact with the Canvas API, the session can also hold an `OauthToken` object that can be used for authentication when making calls to the Canvas API.\n\n### Getting an OAuth token for calls to the Canvas API\n\nAs mentioned above, in order to make calls to the Canvas API, your application must request an OAuth token from the user. The process is documented in the Canvas API documentation [here](https://canvas.instructure.com/doc/api/file.oauth.html). Within this code, applications that need to talk to the Canvas API should call the `LtiLaunch.ensureApiTokenPresent()` method at some point while they are preparing to display the initial page of the application to the user. This will attempt to retrieve an OAuth token for the user from your `OauthTokenService` implementation. If this fails it will throw an `OauthTokenRequiredException`. If the token exists but is found to be invalid due to token expiration or the user having revoked the token manually, an `InvalidOauthTokenException` will be thrown. Your application needs to catch both of these exceptions and if they are thrown, redirect the user's browser to the relative URL `/beginOauth`. This will cause the `OauthController` class to take over. It will direct the user through the OAuth 2 flow to request an access token from the user. When a token is granted by the user it will be stored to your `OauthTokenService` implementation and then be available for use in API calls.\n\nSee also [Canvas API Library](https://github.com/kstateome/canvas-api) project for more details on how to interact with the Canvas API from within your applications.\n\n### License\n\nThis software is licensed under the LGPL v3 license. Please see the [License.txt file](License.txt) in this repository for license details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkstateome%2Flti-launch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkstateome%2Flti-launch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkstateome%2Flti-launch/lists"}