Authentication and Authorization
Drop Project requires authentication for every operation, relying on Spring Security. Out of the box, it provides a simple In-memory authentication scheme (default), an oauth2 scheme (activated through the spring profile "oauth2") and a moodle(*) (using the LTI 1.3 protocol scheme (activated through the spring profile "lti").
(*) In theory, any LTI 1.3 provider can be used to authenticate users of Drop Project. However, only Moodle was tested.
It comes by default with 3 configured users (one for each role).
You can easily change/add users by providing a users.csv, accessible through the classpath. That file must follow this format:
username;password;roles
student1;123;STUDENT
teacher1;123;TEACHER
admin;123;TEACHER,DROP_PROJECT_ADMIN
This authentication scheme allows you to redirect your users (students, teachers) to an external authentication provider that is compliant with oauth2 such as github, facebook or twitter. To activate this scheme, just launch the server with -Dspring.profiles.active=oauth2 but first you have to setup some properties in drop-project-oauth2.properties. Here's an example for github:
spring.security.oauth2.client.registration.github.client-id=xxx
spring.security.oauth2.client.registration.github.client-secret=xxxxx`
These properties are documented in the official documentation page for Spring Security Oauth2 (see https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/htmlsingle/#common-application-properties)
To get the client id and client secret you must register an oauth application in github:
- Go to https://github.com/settings/developers > New OAuth App
- Enter the following information
- Application name: Drop Project
- Homepage URL: http://localhost:8080 (replace with the server where you installed)
- Authorization callback URL: http://localhost:8080/login/oauth2/code/github (replace with the server where you installed)
- Github will then generate a client id and a client secret
Since oauth2 doesn't provide information about the roles of each user, you can provide a classpath accessible oauth-roles.csv with the following format:
login;role
user1;ROLE_TEACHER
user2;ROLE_DROP_PROJECT_ADMIN,ROLE_TEACHER
Where "login" is the name of the attribute associated with the user through the user info endpoint.
This authentication scheme allows you to configure Drop Project as an external tool of Moodle. After this configuration (which I'll explain in a bit), you can add an activity of type Drop Project, the same way you would add an Assignment, a Quiz or a Lesson. You just have to configure one thing: the assignmentId within Drop Project. Students that click on that activity will be redirected to that assignment in Drop Project already authenticated with the same userid they are using in Moodle.
For the sake of this explanation, let's suppose you are running your Drop Project instance at https://my-drop-project.com. You can easily deploy a Drop Project instance in one of your servers or the cloud, using a pre-built docker image, available at https://hub.docker.com/repository/docker/pedroalv3s/drop-project.
First, make sure you have permissions to create a new external tool and go to Manage Tools (available at http://<YOUR_MOODLE_URL>/mod/lti/toolconfigure.php). Choose the option to configure a tool manually and enter the following information:
The tool should now appear in the list of tools. Click the "View Configuration Details":
Take notice of the properties that are shown, they will be needed for the next step.
The Drop Project instance that is running at https://my-drop-project.com must be prepared to received requests from this particular Moodle.
First, the 'lti' spring profile must be activated, either by directly launching the server with -Dspring.profiles.active=lti or changing the SPRING_PROFILES_ACTIVE property on docker-compose.yml.
After that, you have to fill in some properties in drop-project-lti.properties, based on the properties that were shown in the previous step (when you clicked in the "View Configuration Details"). Here's an example for a moodle running on localhost:
lti.clientId=bJx8TAgmoR32Ttn
lti.platform=http://localhost:8888
lti.keySetUrl=http://localhost:8888/mod/lti/certs.php
lti.accessTokenUrl=http://localhost:8888/mod/lti/token.php
lti.oidcAuthUrl=http://localhost:8888/mod/lti/auth.php
lti.deploymentId=1
Drop Project comes with pre-created private and public keys (also included in drop-project-lti.properties). For security reasons, you should generate a new pair and update these properties.
Configuration is done. You can now go back to Moodle and add an external tool of type Drop Project pointing to a specific assignment, like this:
There are the easiest way of configuring authentication, but since it uses Spring Security, it is easy to provide another authentication scheme such as Database or LDAP.
There are only 3 roles in Drop Project: STUDENT, TEACHER and DROP_PROJECT_ADMIN. Generally speaking, users with the TEACHER role can create and manage assignments, users with the STUDENT role can make submissions to assignments and users with the DROP_PROJECT_ADMIN role can perform general administration operations such as file cleanup.
Notice that teachers can define a while-list of students for each assignment, as well as as white-list of teachers that can also manage that assignment.