atomic_lti 1.3.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a219867c2a1f19737d0222b0896e30a28144310a6032f1f6419443af37006304
-  data.tar.gz: ee72503b3f1066f5e3a5ea710da6d818eb2680d79d60e805c828b8f34ef95917
+  metadata.gz: eb887dd7dab6b360c7e0b351cd2d827f89407f68e677c5483275e3f429883ca1
+  data.tar.gz: feca333f5114334a966a00c79cb1be14a8992fe35ed87c8c82f2325c53cfcc91
 SHA512:
-  metadata.gz: 49fd684fa99b65a02402d968b2c53741af0ca19594f0a9ab083cc6d9e3e3a2780caeba0f4de3b31db200dcb8fa745d9b1771b0eae1ef7c025ad68baff5e49fb6
-  data.tar.gz: 8670e8c13dec604b3af371ad7bff7fb7102be8aac32e32ae0e3ebca80718546e1cab5dfb559f18455bddcd2535032310e6be6b12ad568e9d74b4dc1c29ba25c6
+  metadata.gz: cc620a997aeacea2edad4a45cd0c4fffc1480403953d622db3a996997c9d90011a5ef8ca967b519e2a018a757a636f5dc654781f940cfe16d83e9d825cd976e8
+  data.tar.gz: d1c174d1462537c3985a5d1c2141781b625f6ce75d2b7a55d4c5bf9122df5641ae7bbbacf90349ad3dcc11421e36b92da396cf4a748994d5f6ee3a3df4e3f553

data/README.md

@@ -15,7 +15,7 @@ $ bundle
 
 Or install it yourself as:
 ```bash
-$ gem install atomic_tenant
+$ gem install atomic_lti
 ```
 
 Then install the migrations:
@@ -38,5 +38,18 @@ with the following contents. Adjust paths as needed.
   AtomicLti.scopes = AtomicLti::Definitions.scopes.join(" ")
   ```
 
+Add the middleware configuration to application.rb (assuming AtomicTenant is in use)
+  ```
+  config.middleware.insert_before AtomicTenant::CurrentApplicationInstanceMiddleware, AtomicLti::OpenIdMiddleware
+  config.middleware.insert_before AtomicLti::OpenIdMiddleware, OidcCompatabilityMiddleware
+  config.middleware.insert_before AtomicLti::OpenIdMiddleware, AtomicLti::ErrorHandlingMiddleware
+  ```
+
+## Building javascript
+Run esbuild:
+  ```
+  yarn build
+  ```
+
 ## License
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/app/assets/stylesheets/atomic_lti/launch.css

@@ -0,0 +1,95 @@
+.aj-centered-message {
+  max-width: 600px;
+  margin: 48px auto 0;
+  border: 1px solid #ccc;
+  padding: 24px 32px;
+  border-radius: 10px;
+}
+
+.aj-icon {
+  width: 24px;
+  color: #333;
+}
+
+.aj-title {
+  font-family: 'Lato', 'Helvetica Nue', Helvetica, Arial sans-serif;
+  font-weight: 400;
+  font-size: 20px;
+  line-height: 1;
+  gap: 12px;
+  color: #333;
+  display: flex;
+  align-items: center;
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+  text-shadow: 1px 1px 1px rgba(0, 0, 0, 0.004);
+}
+
+.u-flex {
+  display: flex;
+  gap: 12px;
+  margin-top: 12px;
+}
+
+.u-flex > * {
+  margin: 0;
+}
+
+.aj-text.aj-text--small {
+  font-weight: 400;
+  font-size: 13px;
+  margin-top: 20px;
+}
+
+.aj-text {
+  font-family: 'Lato', 'Helvetica Nue', Helvetica, Arial sans-serif;
+  font-weight: 400;
+  font-size: 16px;
+  line-height: 1.4;
+  color: #333;
+  max-width: 600px;
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+  text-shadow: 1px 1px 1px rgba(0, 0, 0, 0.004);
+}
+
+.aj-btn.aj-btn--blue:hover:enabled, a.aj-btn.aj-btn--blue:hover:enabled {
+    box-shadow: 0 3px 4px rgba(0, 50, 150, 0.3);
+    background-color: #2D7DAE;
+}
+
+.aj-btn:hover:enabled, a.aj-btn:hover:enabled {
+    cursor: pointer;
+    background-color: #efefef;
+}
+
+.aj-btn.aj-btn--blue:disabled {
+    opacity: 0.5;
+}
+
+.aj-btn.aj-btn--blue, a.aj-btn.aj-btn--blue {
+    font-family: "Lato", "Helvetica Nue", Helvetica, Arial sans-serif;
+    font-weight: 700;
+    background-color: #2D7DAE;
+    border: none;
+    font-size: 16px;
+    line-height: 27px;
+    text-align: left;
+    color: #ffffff;
+    border-radius: none;
+    border: 2px solid #2D7DAE;
+}
+
+.aj-btn, a.aj-btn {
+    height: 40px;
+    display: inline-flex;
+    align-items: center;
+    gap: 12px;
+    justify-content: center;
+    border-radius: 5px;
+    white-space: nowrap;
+    position: relative;
+    isolation: isolate;
+    padding: 0 12px;
+    text-decoration: none;
+}

data/app/javascript/atomic_lti/init_app.js

@@ -0,0 +1,3 @@
+import { InitOIDCLaunch } from '@atomicjolt/lti-client/lti/init';
+
+InitOIDCLaunch(window.SETTINGS);

data/app/lib/atomic_lti/authorization.rb

@@ -5,10 +5,10 @@ module AtomicLti
 
     AUTHORIZATION_TRIES = 3
     # Validates a token provided by an LTI consumer
-    def self.validate_token(token)
+    def self.validate_token(id_token)
       # Get the iss value from the original request during the oidc call.
       # Use that value to figure out which jwk we should use.
-      decoded_token = JWT.decode(token, nil, false)
+      decoded_token = JWT.decode(id_token, nil, false)
 
       iss = decoded_token.dig(0, "iss")
 
@@ -16,7 +16,7 @@ module AtomicLti
 
       platform = Platform.find_by(iss: iss)
 
-      raise AtomicLti::Exceptions::NoLTIPlatform(iss: iss, deployment_id: decoded_token.dig(0, "deployment_id")) if platform.nil?
+      raise AtomicLti::Exceptions::NoLTIPlatform.new(iss: iss, deployment_id: decoded_token.dig(0, "deployment_id")) if platform.nil?
 
       cache_key = "#{iss}_jwks"
 
@@ -31,8 +31,8 @@ module AtomicLti
         jwks
       end
 
-      lti_token, _keys = JWT.decode(token, nil, true, { algorithms: ["RS256"], jwks: jwk_loader })
-      lti_token
+      id_token_decoded, _keys = JWT.decode(id_token, nil, true, { algorithms: ["RS256"], jwks: jwk_loader })
+      id_token_decoded
     end
 
     def self.sign_tool_jwt(payload)
@@ -73,19 +73,26 @@ module AtomicLti
       sign_tool_jwt(payload)
     end
 
-    def self.request_token(iss:, deployment_id:)
+    def self.request_token(iss:, deployment_id:, scopes: nil)
       deployment = AtomicLti::Deployment.find_by(iss: iss, deployment_id: deployment_id)
 
       raise AtomicLti::Exceptions::NoLTIDeployment.new(iss: iss, deployment_id: deployment_id) if deployment.nil?
 
-      cache_key = "#{deployment.cache_key_with_version}/services_authorization"
+      scopestr = if scopes
+                   scopes.sort.join(" ")
+                 else
+                   AtomicLti.scopes
+                 end
+
+      # Token is cached based on deployment id and requested scopes
+      cache_key = "#{deployment.cache_key}/#{Digest::SHA1.hexdigest(scopestr)}/services_authorization"
       tries = 1
 
       begin
         authorization = Rails.cache.read(cache_key)
         return authorization if authorization.present?
 
-        authorization = request_token_uncached(iss: iss, deployment_id: deployment_id)
+        authorization = request_token_uncached(iss: iss, deployment_id: deployment_id, scopes: scopestr)
 
         # Subtract a few seconds so we don't use an expired token
         expires_in = authorization["expires_in"].to_i - 10
@@ -109,13 +116,13 @@ module AtomicLti
       authorization
     end
 
-    def self.request_token_uncached(iss:, deployment_id:)
+    def self.request_token_uncached(iss:, deployment_id:, scopes:)
       # Details here:
       # https://www.imsglobal.org/spec/security/v1p0/#using-json-web-tokens-with-oauth-2-0-client-credentials-grant
       body = {
         grant_type: "client_credentials",
         client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-        scope: AtomicLti.scopes,
+        scope: scopes,
         client_assertion: client_assertion(iss: iss, deployment_id: deployment_id),
       }
       headers = {

data/app/lib/atomic_lti/definitions.rb

@@ -67,13 +67,13 @@ module AtomicLti
       ]
     end
 
-    CANVAS_PUBLIC_LTI_KEYS_URL = "https://canvas.instructure.com/api/lti/security/jwks".freeze
-    CANVAS_OIDC_URL = "https://canvas.instructure.com/api/lti/authorize_redirect".freeze
-    CANVAS_AUTH_TOKEN_URL = "https://canvas.instructure.com/login/oauth2/token".freeze
+    CANVAS_PUBLIC_LTI_KEYS_URL = "https://sso.canvaslms.com/api/lti/security/jwks".freeze
+    CANVAS_OIDC_URL = "https://sso.canvaslms.com/api/lti/authorize_redirect".freeze
+    CANVAS_AUTH_TOKEN_URL = "https://sso.canvaslms.com/login/oauth2/token".freeze
 
-    CANVAS_BETA_PUBLIC_LTI_KEYS_URL = "https://canvas.beta.instructure.com/api/lti/security/jwks".freeze
-    CANVAS_BETA_AUTH_TOKEN_URL = "https://canvas.beta.instructure.com/login/oauth2/token".freeze
-    CANVAS_BETA_OIDC_URL = "https://canvas.beta.instructure.com/api/lti/authorize_redirect".freeze
+    CANVAS_BETA_PUBLIC_LTI_KEYS_URL = "https://sso.beta.canvaslms.com/api/lti/security/jwks".freeze
+    CANVAS_BETA_OIDC_URL = "https://sso.beta.canvaslms.com/api/lti/authorize_redirect".freeze
+    CANVAS_BETA_AUTH_TOKEN_URL = "https://sso.beta.canvaslms.com/login/oauth2/token".freeze
 
     CANVAS_SUBMISSION_TYPE = "https://canvas.instructure.com/lti/submission_type".freeze
 
@@ -115,6 +115,38 @@ module AtomicLti
     MEMBER_CONTEXT_ROLE = "http://purl.imsglobal.org/vocab/lis/v2/membership#Member".freeze
     OFFICER_CONTEXT_ROLE = "http://purl.imsglobal.org/vocab/lis/v2/membership#Officer".freeze
 
+    ROLES = [
+      ADMINISTRATOR_SYSTEM_ROLE,
+      NONE_SYSTEM_ROLE,
+      ACCOUNT_ADMIN_SYSTEM_ROLE,
+      CREATOR_SYSTEM_ROLE,
+      SYS_ADMIN_SYSTEM_ROLE,
+      SYS_SUPPORT_SYSTEM_ROLE,
+      USER_SYSTEM_ROLE,
+      ADMINISTRATOR_INSTITUTION_ROLE,
+      FACULTY_INSTITUTION_ROLE,
+      GUEST_INSTITUTION_ROLE,
+      NONE_INSTITUTION_ROLE,
+      OTHER_INSTITUTION_ROLE,
+      STAFF_INSTITUTION_ROLE,
+      STUDENT_INSTITUTION_ROLE,
+      ALUMNI_INSTITUTION_ROLE,
+      INSTRUCTOR_INSTITUTION_ROLE,
+      LEARNER_INSTITUTION_ROLE,
+      MEMBER_INSTITUTION_ROLE,
+      MENTOR_INSTITUTION_ROLE,
+      OBSERVER_INSTITUTION_ROLE,
+      PROSPECTIVE_STUDENT_INSTITUTION_ROLE,
+      ADMINISTRATOR_CONTEXT_ROLE,
+      CONTENT_DEVELOPER_CONTEXT_ROLE,
+      INSTRUCTOR_CONTEXT_ROLE,
+      LEARNER_CONTEXT_ROLE,
+      MENTOR_CONTEXT_ROLE,
+      MANAGER_CONTEXT_ROLE,
+      MEMBER_CONTEXT_ROLE,
+      OFFICER_CONTEXT_ROLE,
+    ].freeze
+
     ADMINISTRATOR_ROLES = [
       ADMINISTRATOR_SYSTEM_ROLE,
       ACCOUNT_ADMIN_SYSTEM_ROLE,

data/app/lib/atomic_lti/exceptions.rb

@@ -1,7 +1,7 @@
 module AtomicLti
   module Exceptions
 
-    # General exceptions
+    # LTI data related exceptions
     class AtomicLtiException < StandardError
     end
 
@@ -20,15 +20,9 @@ module AtomicLti
     class StateError < AtomicLtiException
     end
 
-    class OpenIDStateError < AtomicLtiException
-    end
-
     class OpenIDRedirectError < AtomicLtiException
     end
 
-    class JwtIssueError < AtomicLtiException
-    end
-
     class LineItemMissing < LineItemError
     end
 
@@ -50,18 +44,28 @@ module AtomicLti
       end
     end
 
-    class NoLTIToken < AtomicLtiException
-      def initialize(msg = "No LTI token provided")
+    # Authorization errors
+    class AtomicLtiAuthException < StandardError
+    end
+
+    class InvalidLTIToken < AtomicLtiAuthException
+      def initialize(msg = "Invalid LTI token provided")
         super(msg)
       end
     end
 
-    class InvalidLTIToken < AtomicLtiException
-      def initialize(msg = "Invalid LTI token provided")
+    class JwtIssueError < AtomicLtiAuthException
+    end
+
+    class NoLTIToken < AtomicLtiAuthException
+      def initialize(msg = "No LTI token provided")
         super(msg)
       end
     end
 
+    class OpenIDStateError < AtomicLtiAuthException
+    end
+
     # Not found exceptions
     class AtomicLtiNotFoundException < StandardError
     end

data/app/lib/atomic_lti/lti.rb

@@ -12,7 +12,7 @@ module AtomicLti
         errors.push("LTI token is missing required field iss")
       end
 
-      if decoded_token["sub"].blank?
+      if decoded_token["sub"].blank? && !AtomicLti.allow_anonymous_user
         errors.push("LTI token is missing required field sub")
       end
 
@@ -51,6 +51,14 @@ module AtomicLti
         )
       end
 
+      roles = decoded_token[AtomicLti::Definitions::ROLES_CLAIM]
+      if AtomicLti.role_enforcement_mode == AtomicLti::RoleEnforcementMode::STRICT && roles.is_a?(Array) && !roles.empty?
+        invalid_roles = roles - AtomicLti::Definitions::ROLES
+        if invalid_roles.length == roles.length
+          errors.push("LTI token has invalid roles: #{invalid_roles.join(", ")}")
+        end
+      end
+
       if errors.length > 0
         raise AtomicLti::Exceptions::InvalidLTIToken.new(errors.join(" "))
       end
@@ -69,7 +77,7 @@ module AtomicLti
 
       if decoded_token[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM].blank?
         errors.push(
-          "LTI token is missing required claim #{AtomicLti::Definitions::TARGET_LINK_URI_CLAIM}"
+          "LTI token is missing required claim #{AtomicLti::Definitions::TARGET_LINK_URI_CLAIM}",
         )
       end
 
@@ -77,19 +85,19 @@ module AtomicLti
       target_link_uri = decoded_token[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM]
       if validate_target_link_url && target_link_uri != requested_target_link_uri
         errors.push(
-          "LTI token target link uri '#{target_link_uri}' doesn't match url '#{requested_target_link_uri}'"
+          "LTI token target link uri '#{target_link_uri}' doesn't match url '#{requested_target_link_uri}'",
         )
       end
 
       if decoded_token[AtomicLti::Definitions::RESOURCE_LINK_CLAIM].blank?
         errors.push(
-          "LTI token is missing required claim #{AtomicLti::Definitions::RESOURCE_LINK_CLAIM}"
+          "LTI token is missing required claim #{AtomicLti::Definitions::RESOURCE_LINK_CLAIM}",
         )
       end
 
       if decoded_token.dig(AtomicLti::Definitions::RESOURCE_LINK_CLAIM, "id").blank?
         errors.push(
-          "LTI token is missing required field id from the claim #{AtomicLti::Definitions::RESOURCE_LINK_CLAIM}"
+          "LTI token is missing required field id from the claim #{AtomicLti::Definitions::RESOURCE_LINK_CLAIM}",
         )
       end
 

data/app/lib/atomic_lti/open_id.rb

@@ -1,22 +1,34 @@
 module AtomicLti
   class OpenId
-    def self.validate_open_id_state(state)
-      state = AtomicLti::AuthToken.decode(state)[0]
-      if open_id_state = AtomicLti::OpenIdState.find_by(nonce: state["nonce"])
-        open_id_state.destroy
-        true
-      else
-        false
+    def self.validate_state(nonce, state)
+      if state.blank?
+        return false
       end
-    rescue StandardError => e
-      Rails.logger.info("Error decoding token: #{e} - #{e.backtrace}")
-      false
+
+      open_id_state = AtomicLti::OpenIdState.find_by(state: state)
+      if !open_id_state
+        return false
+      end
+
+      open_id_state.destroy
+
+      # Check that the state hasn't expired
+      if open_id_state.created_at < 10.minutes.ago
+        return false
+      end
+
+      if nonce != open_id_state.nonce
+        return false
+      end
+
+      true
     end
 
-    def self.state
+    def self.generate_state
       nonce = SecureRandom.hex(64)
-      AtomicLti::OpenIdState.create!(nonce: nonce)
-      AtomicLti::AuthToken.issue_token({ nonce: nonce })
+      state = SecureRandom.hex(32)
+      AtomicLti::OpenIdState.create!(nonce: nonce, state: state)
+      [nonce, state]
     end
   end
 end

data/app/lib/atomic_lti/params.rb

@@ -3,8 +3,8 @@ module AtomicLti
   class Params
     attr_reader :token
 
-    def initialize(lti_token)
-      @token = lti_token.with_indifferent_access
+    def initialize(id_token_decoded)
+      @token = id_token_decoded.with_indifferent_access
     end
 
     def lti_advantage?

data/app/lib/atomic_lti/role_enforcement_mode.rb

@@ -0,0 +1,8 @@
+module AtomicLti
+  module RoleEnforcementMode
+    # Unkown roles are allowed to be the only role in the roles claim
+    DEFAULT = "DEFAULT".freeze
+    # Unkown roles are not allowed to be the only roles in the roles claim
+    STRICT = "STRICT".freeze
+  end
+end

data/app/lib/atomic_lti/services/base.rb

@@ -2,23 +2,24 @@ module AtomicLti
   module Services
     class Base
 
-      def initialize(lti_token: nil, iss: nil, deployment_id: nil)
-
+      def initialize(id_token_decoded: nil, iss: nil, deployment_id: nil)
         token_iss = nil
         token_deployment_id = nil
 
-        if lti_token.present?
-          token_iss = lti_token.dig('iss')
-          token_deployment_id = lti_token.dig(AtomicLti::Definitions::DEPLOYMENT_ID)
+        if id_token_decoded.present?
+          token_iss = id_token_decoded["iss"]
+          token_deployment_id = id_token_decoded[AtomicLti::Definitions::DEPLOYMENT_ID]
         end
 
-        @lti_token = lti_token
+        @id_token_decoded = id_token_decoded
         @iss = iss || token_iss
         @deployment_id = deployment_id || token_deployment_id
       end
 
+      def scopes; end
+
       def headers(options = {})
-        @token ||= AtomicLti::Authorization.request_token(iss: @iss, deployment_id: @deployment_id)
+        @token ||= AtomicLti::Authorization.request_token(iss: @iss, deployment_id: @deployment_id, scopes: scopes)
         {
           "Authorization" => "Bearer #{@token['access_token']}",
         }.merge(options)

data/app/lib/atomic_lti/services/line_items.rb

@@ -3,12 +3,17 @@ module AtomicLti
     # Canvas API docs https://canvas.instructure.com/doc/api/line_items.html
     class LineItems < AtomicLti::Services::Base
 
-      def endpoint(lti_token)
-        url = lti_token.dig(AtomicLti::Definitions::AGS_CLAIM, "lineitems")
+      def endpoint(id_token_decoded)
+        url = id_token_decoded.dig(AtomicLti::Definitions::AGS_CLAIM, "lineitems")
         raise AtomicLti::Exceptions::LineItemError, "Unable to access line items" unless url.present?
+
         url
       end
 
+      def scopes
+        @id_token_decoded&.dig(AtomicLti::Definitions::AGS_CLAIM, "scope")
+      end
+
       # Helper method to generate a default set of attributes
       def self.generate(
         label:,
@@ -27,8 +32,8 @@ module AtomicLti
           tag: tag,
           startDateTime: start_date_time,
           endDateTime: end_date_time,
+          resourceLinkId: resource_link_id,
         }.compact
-        attrs["resourceLinkId"] = resource_link_id if resource_link_id
         if external_tool_url
           attrs[AtomicLti::Definitions::CANVAS_SUBMISSION_TYPE] = {
             type: "external_tool",
@@ -42,14 +47,14 @@ module AtomicLti
         self.class.generate(**attrs)
       end
 
-      def self.can_manage_line_items?(lti_token)
-        lti_token.dig(AtomicLti::Definitions::AGS_CLAIM, "scope")&.
+      def self.can_manage_line_items?(id_token_decoded)
+        id_token_decoded.dig(AtomicLti::Definitions::AGS_CLAIM, "scope")&.
           include?(AtomicLti::Definitions::AGS_SCOPE_LINE_ITEM)
       end
 
-      def self.can_query_line_items?(lti_token)
-        can_manage_line_items?(lti_token) ||
-          lti_token.dig(AtomicLti::Definitions::AGS_CLAIM, "scope").
+      def self.can_query_line_items?(id_token_decoded)
+        can_manage_line_items?(id_token_decoded) ||
+          id_token_decoded.dig(AtomicLti::Definitions::AGS_CLAIM, "scope").
             include?(AtomicLti::Definitions::AGS_SCOPE_LINE_ITEM_READONLY)
       end
 
@@ -57,7 +62,7 @@ module AtomicLti
       # Canvas: https://canvas.beta.instructure.com/doc/api/line_items.html#method.lti/ims/line_items.index
       def list(query = {})
         accept = { "Accept" => "application/vnd.ims.lis.v2.lineitemcontainer+json" }
-        HTTParty.get(endpoint(@lti_token), headers: headers(accept), query: query)
+        HTTParty.get(endpoint(@id_token_decoded), headers: headers(accept), query: query)
       end
 
       # Get a specific line item
@@ -72,7 +77,7 @@ module AtomicLti
       # Canvas: https://canvas.beta.instructure.com/doc/api/line_items.html#method.lti/ims/line_items.create
       def create(attrs = nil)
         content_type = { "Content-Type" => "application/vnd.ims.lis.v2.lineitem+json" }
-        HTTParty.post(endpoint(@lti_token), body: JSON.dump(attrs), headers: headers(content_type))
+        HTTParty.post(endpoint(@id_token_decoded), body: JSON.dump(attrs), headers: headers(content_type))
       end
 
       # Update a line item

data/app/lib/atomic_lti/services/names_and_roles.rb

@@ -2,12 +2,16 @@ module AtomicLti
   module Services
     class NamesAndRoles < AtomicLti::Services::Base
 
-      def initialize(lti_token:)
-        super(lti_token: lti_token)
+      def initialize(id_token_decoded:)
+        super(id_token_decoded: id_token_decoded)
+      end
+
+      def scopes
+        [AtomicLti::Definitions::NAMES_AND_ROLES_SCOPE]
       end
 
       def endpoint
-        url = @lti_token.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM, "context_memberships_url")
+        url = @id_token_decoded.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM, "context_memberships_url")
         raise AtomicLti::Exceptions::NamesAndRolesError, "Unable to access names and roles" unless url.present?
 
         url
@@ -19,15 +23,15 @@ module AtomicLti
         url
       end
 
-      def self.enabled?(lti_token)
-        return false unless lti_token&.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM)
+      def self.enabled?(id_token_decoded)
+        return false unless id_token_decoded&.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM)
 
         (AtomicLti::Definitions::NAMES_AND_ROLES_SERVICE_VERSIONS &
-          (lti_token.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM, "service_versions") || [])).present?
+          (id_token_decoded.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM, "service_versions") || [])).present?
       end
 
       def valid?
-        self.class.enabled?(@lti_token)
+        self.class.enabled?(@id_token_decoded)
       end
 
       # List names and roles

data/app/lib/atomic_lti/services/results.rb

@@ -3,6 +3,10 @@ module AtomicLti
     # Canvas API docs: https://canvas.instructure.com/doc/api/result.html
     class Results < AtomicLti::Services::Base
 
+      def scopes
+        [AtomicLti::Definitions::AGS_SCOPE_RESULT]
+      end
+
       def list(line_item_id)
         url = "#{line_item_id}/results"
         HTTParty.get(url, headers: headers)

data/app/lib/atomic_lti/services/score.rb

@@ -5,18 +5,22 @@ module AtomicLti
 
       attr_accessor :id
 
-      def initialize(lti_token: nil, iss:nil, deployment_id: nil, id: nil)
-        super(lti_token: lti_token, iss: iss, deployment_id: deployment_id)
+      def initialize(id_token_decoded: nil, iss: nil, deployment_id: nil, id: nil)
+        super(id_token_decoded: id_token_decoded, iss: iss, deployment_id: deployment_id)
         @id = id
       end
 
+      def scopes
+        [AtomicLti::Definitions::AGS_SCOPE_SCORE]
+      end
+
       def endpoint
         if id.blank?
           raise ::AtomicLti::Exceptions::ScoreError,
                 "Invalid id or no id provided. Unable to access scores. id should be in the form of a url."
         end
         uri = URI(id)
-        uri.path = uri.path+'/scores'
+        uri.path = "#{uri.path}/scores"
         uri
       end
 
@@ -52,7 +56,7 @@ module AtomicLti
           # values will require no action. Possible values are NotReady, Failed, Pending,
           # PendingManual, FullyGraded
           gradingProgress: grading_progress,
-        }
+        }.compact
       end
 
       def send(attrs)

data/app/models/atomic_lti/jwk.rb

@@ -1,6 +1,6 @@
 module AtomicLti
   class Jwk < ApplicationRecord
-    before_create :generate_keys
+    before_create :ensure_keys_exist
 
     def generate_keys
       pkey = OpenSSL::PKey::RSA.generate(2048)
@@ -37,5 +37,14 @@ module AtomicLti
     def self.current_jwk
       self.last
     end
+
+    private
+
+    def ensure_keys_exist
+      if kid.blank?
+        generate_keys
+      end
+    end
+
   end
 end

data/app/models/atomic_lti/open_id_state.rb

@@ -1,5 +1,6 @@
 module AtomicLti
   class OpenIdState < ApplicationRecord
     validates :nonce, presence: true, uniqueness: true
+    validates :state, presence: true, uniqueness: true
   end
 end

data/app/views/atomic_lti/shared/error.html.erb

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <%= stylesheet_link_tag    "atomic_lti/launch" %>
+    <link href="https://fonts.googleapis.com/icon?family=Material+Icons+Outlined" rel="stylesheet">
+  </head>
+  <body>
+    <div class="aj-main">
+      <div class="aj-error">
+        <h1 class="aj-title">
+          <i class="material-icons-outlined aj-icon" aria-hidden="true">error</i>
+          <%= @message %>
+        </h1>
+      </div>
+    </div>
+  </body>
+</html>

data/app/views/atomic_lti/shared/init.html.erb

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <style>
+      .hidden { display: none !important; }
+    </style>
+    <link href="https://fonts.googleapis.com/icon?family=Material+Icons+Outlined" rel="stylesheet">
+    <%= stylesheet_link_tag "atomic_lti/launch" %>
+    <%= javascript_include_tag "atomic_lti/init_app" %>
+  </head>
+  <body>
+    <noscript>
+      <div class="u-flex">
+        <i class="material-icons-outlined aj-icon" aria-hidden="true">warning</i>
+        <p class="aj-text">
+          You must have javascript enabled to use this application.
+        </p>
+      </div>
+    </noscript>
+    <div id="main-content">
+    </div>
+    <script type="text/javascript">
+      InitOIDCLaunch(window.SETTINGS);
+    </script>
+  </body>
+</html>

data/app/views/atomic_lti/shared/redirect.html.erb

@@ -1,15 +1,28 @@
 <!DOCTYPE html>
 <html lang="en">
   <head>
-    <script type="text/javascript">
-      window.onload=function(){document.forms[0].submit();};
-    </script>
+    <link href="https://fonts.googleapis.com/icon?family=Material+Icons+Outlined" rel="stylesheet">
+    <%= stylesheet_link_tag "atomic_lti/launch" %>
   </head>
   <body>
-    <form action="<%= @launch_url -%>" method="POST">
-      <% @launch_params.each do |name, value| -%>
-        <%= hidden_field_tag(name, value) %>
-      <% end -%>
-    </form>
+      <noscript>
+        <div class="u-flex aj-centered-message">
+          <i class="material-icons-outlined aj-icon" aria-hidden="true">warning</i>
+          <p class="aj-text">
+            You must have javascript enabled to use this application.
+          </p>
+        </div>
+      </noscript>
+      <form action="<%= @launch_url -%>" method="POST">
+        <% @launch_params.each do |name, value| -%>
+          <%= hidden_field_tag(name, value) %>
+        <% end -%>
+      </form>
+    </div>
+    <script>
+      window.addEventListener("load", () => {
+        document.forms[0].submit();
+      });
+    </script>
   </body>
 </html>

data/db/migrate/20230726040941_add_state_to_open_id_state.rb

@@ -0,0 +1,6 @@
+class AddStateToOpenIdState < ActiveRecord::Migration[7.0]
+  def change
+    add_column :atomic_lti_open_id_states, :state, :string
+    add_index :atomic_lti_open_id_states, :state, unique: true
+  end
+end

data/db/seeds.rb

@@ -2,16 +2,16 @@
 AtomicLti::Jwk.find_or_create_by(domain: nil)
 
 # Add some platforms
-AtomicLti::Platform.create_with( 
-  jwks_url: "https://canvas.instructure.com/api/lti/security/jwks", 
-  token_url: "https://canvas.instructure.com/login/oauth2/token", 
-  oidc_url: "https://canvas.instructure.com/api/lti/authorize_redirect"
+AtomicLti::Platform.create_with(
+  jwks_url: AtomicLti::Definitions::CANVAS_PUBLIC_LTI_KEYS_URL,
+  token_url: AtomicLti::Definitions::CANVAS_AUTH_TOKEN_URL,
+  oidc_url: AtomicLti::Definitions::CANVAS_OIDC_URL,
 ).find_or_create_by(iss: "https://canvas.instructure.com")
 
 AtomicLti::Platform.create_with(
-  jwks_url: "https://canvas-beta.instructure.com/api/lti/security/jwks",
-  token_url: "https://canvas-beta.instructure.com/login/oauth2/token",
-  oidc_url: "https://canvas-beta.instructure.com/api/lti/authorize_redirect",
+  jwks_url: AtomicLti::Definitions::CANVAS_BETA_PUBLIC_LTI_KEYS_URL,
+  token_url: AtomicLti::Definitions::CANVAS_BETA_AUTH_TOKEN_URL,
+  oidc_url: AtomicLti::Definitions::CANVAS_BETA_OIDC_URL,
 ).find_or_create_by(iss: "https://canvas-beta.instructure.com")
 
 
@@ -26,4 +26,4 @@ AtomicTenant::PinnedPlatformGuid.create(iss: "https://canvas.instructure.com", p
 #  deployment_id: "21089:1f5e1ee417cb2b17f86a1232122452ab3f6188f7",
 #  application_instance_id: 5,
 #  created_at: Tue, 16 Aug 2022 16:05:20.848365000 UTC +00:00,
-#  updated_at: Tue, 16 Aug 2022 16:05:20.848365000 UTC +00:00>
+#  updated_at: Tue, 16 Aug 2022 16:05:20.848365000 UTC +00:00>

data/lib/atomic_lti/error_handling_middleware.rb

@@ -4,7 +4,7 @@ module AtomicLti
       @app = app
     end
 
-    def render_error(env, status, message)
+    def render_error(status, message)
       format = "text/plain"
       body = message
 
@@ -12,22 +12,30 @@ module AtomicLti
     end
 
     def render(status, body, format)
-      [status,
-      {
-        "Content-Type" => "#{format}; charset=\"UTF-8\"",
-        "Content-Length" => body.bytesize.to_s,
-      },
-      [body]]
+      [
+        status,
+        {
+          "Content-Type" => "#{format}; charset=\"UTF-8\"",
+          "Content-Length" => body.bytesize.to_s,
+        },
+        [body],
+      ]
     end
 
     def call(env)
       @app.call(env)
-
+    rescue JWT::ExpiredSignature
+      render_error(401, "The launch has expired. Please launch the application again.")
+    rescue JWT::DecodeError
+      render_error(401, "The launch token is invalid.")
+    rescue AtomicLti::Exceptions::NoLTIToken
+      render_error(401, "Invalid launch. Please launch the application again.")
+    rescue AtomicLti::Exceptions::AtomicLtiAuthException => e
+      render_error(401, "Invalid LTI launch. Please launch the application again. #{e.message}")
     rescue AtomicLti::Exceptions::AtomicLtiNotFoundException => e
-      render_error(env, 404, e.message)
-
+      render_error(404, e.message)
     rescue AtomicLti::Exceptions::AtomicLtiException => e
-      render_error(env, 500, e.message)
+      render_error(500, "Invalid LTI launch. Please launch the application again. #{e.message}")
     end
   end
 end

data/lib/atomic_lti/open_id_middleware.rb

@@ -1,4 +1,8 @@
 module AtomicLti
+  # This is the same prefix used in the npm package. There's not a great way to share constants between ruby and npm.
+  # Don't change it unless you change it in the Javascript as well.
+  OPEN_ID_COOKIE_PREFIX = "open_id_".freeze
+
   class OpenIdMiddleware
     def initialize(app)
       @app = app
@@ -17,26 +21,86 @@ module AtomicLti
     end
 
     def handle_init(request)
-      nonce = SecureRandom.hex(64)
+      platform = AtomicLti::Platform.find_by(iss: request.params["iss"])
+      if !platform
+        raise AtomicLti::Exceptions::NoLTIPlatform.new(iss: request.params["iss"])
+      end
+
+      nonce, state = AtomicLti::OpenId.generate_state
+
+      headers = { "Content-Type" => "text/html" }
+      Rack::Utils.set_cookie_header!(
+        headers, "#{OPEN_ID_COOKIE_PREFIX}storage",
+        { value: "1", path: "/", max_age: 365.days, http_only: false, secure: true, same_site: "None" }
+      )
+      Rack::Utils.set_cookie_header!(
+        headers, "#{OPEN_ID_COOKIE_PREFIX}#{state}",
+        { value: 1, path: "/", max_age: 1.minute, http_only: false, secure: true, same_site: "None" }
+      )
 
       redirect_uri = [request.base_url, AtomicLti.oidc_redirect_path].join
+      response_url = build_oidc_response(request, state, nonce, redirect_uri)
+
+      if request.cookies.present? || !AtomicLti.enforce_csrf_protection
+        # we know cookies will work, so redirect
+        headers["Location"] = response_url
 
-      state = AtomicLti::OpenId.state
-      url = build_oidc_response(request, state, nonce, redirect_uri)
+        [302, headers, ["Found"]]
+      else
+        # cookies might not work, so render our javascript form
+        if request.params["lti_storage_target"].present? && AtomicLti.use_post_message_storage
+          lti_storage_params = build_lti_storage_params(request, platform)
+        end
 
-      headers = { "Location" => url, "Content-Type" => "text/html" }
-      Rack::Utils.set_cookie_header!(headers, "open_id_state", state)
-      [302, headers, ["Found"]]
+        html = ApplicationController.renderer.render(
+          :html,
+          layout: false,
+          template: "atomic_lti/shared/init",
+          assigns: {
+            settings: {
+              state: state,
+              responseUrl: response_url,
+              ltiStorageParams: lti_storage_params,
+              relaunchInitUrl: relaunch_init_url(request),
+              privacyPolicyUrl: AtomicLti.privacy_policy_url,
+              privacyPolicyMessage: AtomicLti.privacy_policy_message,
+              openIdCookiePrefix: OPEN_ID_COOKIE_PREFIX,
+            },
+          },
+        )
+
+        [200, headers, [html]]
+      end
     end
 
-    def handle_redirect(request)
+    def validate_launch(request, validate_target_link_url)
+      # Validate and decode id_token
       raise AtomicLti::Exceptions::NoLTIToken if request.params["id_token"].blank?
 
-      lti_token = AtomicLti::Authorization.validate_token(
-        request.params["id_token"],
-      )
+      id_token_decoded = AtomicLti::Authorization.validate_token(request.params["id_token"])
+
+      raise AtomicLti::Exceptions::InvalidLTIToken.new if id_token_decoded.nil?
+
+      # Validate id token contents
+      AtomicLti::Lti.validate!(id_token_decoded, request.url, validate_target_link_url)
+
+      # Check for the state cookie
+      state_verified = false
+      state = request.params["state"]
+      if request.cookies["open_id_#{state}"]
+        state_verified = true
+      end
 
-      AtomicLti::Lti.validate!(lti_token)
+      # Validate the state and nonce
+      if !AtomicLti::OpenId.validate_state(id_token_decoded["nonce"], state)
+        raise AtomicLti::Exceptions::OpenIDStateError.new("Invalid OIDC state.")
+      end
+
+      [id_token_decoded, state, state_verified]
+    end
+
+    def handle_redirect(request)
+      id_token_decoded, _state, _state_verified = validate_launch(request, false)
 
       uri = URI(request.url)
       # Technically the target_link_uri is not required and the certification suite
@@ -44,25 +108,26 @@ module AtomicLti
       # but at least for the certification suite we have to have a backup default
       # value that can be set in the configuration of Atomic LTI using
       # the default_deep_link_path
-      target_link_uri = lti_token[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM] ||
+      target_link_uri = id_token_decoded[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM] ||
         File.join("#{uri.scheme}://#{uri.host}", AtomicLti.default_deep_link_path)
 
-      redirect_params = {
-        state: request.params["state"],
-        id_token: request.params["id_token"],
-      }
       html = ApplicationController.renderer.render(
         :html,
         layout: false,
         template: "atomic_lti/shared/redirect",
-        assigns: { launch_params: redirect_params, launch_url: target_link_uri },
+        assigns: {
+          launch_params: request.params,
+          launch_url: target_link_uri,
+        },
       )
 
       [200, { "Content-Type" => "text/html" }, [html]]
     end
 
     def matches_redirect?(request)
-      raise AtomicLti::Exceptions::ConfigurationError.new("AtomicLti.oidc_redirect_path is not configured") if AtomicLti.oidc_redirect_path.blank?
+      if AtomicLti.oidc_redirect_path.blank?
+        raise AtomicLti::Exceptions::ConfigurationError.new("AtomicLti.oidc_redirect_path is not configured")
+      end
 
       redirect_uri = URI.parse(AtomicLti.oidc_redirect_path)
       redirect_path_params = if redirect_uri.query
@@ -87,35 +152,42 @@ module AtomicLti
     end
 
     def handle_lti_launch(env, request)
-      id_token = request.params["id_token"]
-      state = request.params["state"]
-      url = request.url
+      id_token_decoded, state, state_verified = validate_launch(request, true)
 
-      payload = valid_token(state: state, id_token: id_token, url: url)
-      if payload
-        decoded_jwt = payload
-
-        update_install(id_token: decoded_jwt)
-        update_platform_instance(id_token: decoded_jwt)
-        update_deployment(id_token: decoded_jwt)
-        update_lti_context(id_token: decoded_jwt)
+      id_token = request.params["id_token"]
+      update_install(id_token: id_token_decoded)
+      update_platform_instance(id_token: id_token_decoded)
+      update_deployment(id_token: id_token_decoded)
+      update_lti_context(id_token: id_token_decoded)
+
+      errors = id_token_decoded.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, "errors")
+      if errors.present? && !errors["errors"].empty?
+        Rails.logger.error("Detected errors in lti launch: #{errors}, id_token: #{id_token}")
+      end
 
-        errors = decoded_jwt.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, "errors")
-        if errors.present? && !errors["errors"].empty?
-          Rails.logger.error("Detected errors in lti launch: #{errors}, id_token: #{id_token}")
-        end
+      env["atomic.validated.decoded_id_token"] = id_token_decoded
+      env["atomic.validated.id_token"] = id_token
+
+      platform = AtomicLti::Platform.find_by!(iss: id_token_decoded["iss"])
+      if request.params["lti_storage_target"].present? && AtomicLti.use_post_message_storage
+        lti_storage_params = build_lti_storage_params(request, platform)
+        # Add the values needed to do client side validate to the environment
+        env["atomic.validated.state_validation"] = {
+          state: state,
+          lti_storage_params: lti_storage_params,
+          verified_by_cookie: state_verified,
+        }
+      end
 
-        env["atomic.validated.decoded_id_token"] = decoded_jwt
-        env["atomic.validated.id_token"] = id_token
+      @app.call(env)
 
-        @app.call(env)
-      else
-        Rails.logger.info("Invalid lti launch: id_token: #{payload} - id_token: #{id_token} - state: #{state} - url: #{url}")
-        [401, {}, ["Invalid Lti Launch"]]
-      end
+      # Delete the state cookie
+      status, headers, body = @app.call(env)
+      # Rack::Utils.delete_cookie_header(headers, "#{OPEN_ID_COOKIE_PREFIX}#{state}")
+      [status, headers, body]
     end
 
-    def error!(body = "Error", status = 500, headers = {"Content-Type" => "text/html"})
+    def error!(body = "Error", status = 500, headers = { "Content-Type" => "text/html" })
       [status, headers, [body]]
     end
 
@@ -134,6 +206,19 @@ module AtomicLti
 
     protected
 
+    def render_error(status, message)
+      html = ApplicationController.renderer.render(
+        :html,
+        layout: false,
+        template: "atomic_lti/shared/error",
+        assigns: {
+          message: message || "There was an error during the launch. Please try again.",
+        },
+      )
+
+      [status || 404, { "Content-Type" => "text/html" }, [html]]
+    end
+
     def update_platform_instance(id_token:)
       if id_token[AtomicLti::Definitions::TOOL_PLATFORM_CLAIM].present? &&
           id_token.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, "guid").present?
@@ -222,32 +307,18 @@ module AtomicLti
         )
     end
 
-    def valid_token(state:, id_token:, url:)
-      # Validate the state by checking the database for the nonce
-      valid_state = AtomicLti::OpenId.validate_open_id_state(state)
-
-      return false if !valid_state
-
-      token = false
-
-      begin
-        token = AtomicLti::Authorization.validate_token(id_token)
-      rescue JWT::DecodeError => e
-        Rails.logger.error("Unable to decode jwt: #{e}, #{e.backtrace}")
-        return false
-      end
-
-      return false if token.nil?
-
-      AtomicLti::Lti.validate!(token, url, true)
-
-      token
+    def relaunch_init_url(request)
+      uri = URI.parse(request.url)
+      uri.fragment = uri.query = nil
+      params = request.params
+      params.delete("lti_storage_target")
+      [uri.to_s, "?", params.to_query].join
     end
 
     def build_oidc_response(request, state, nonce, redirect_uri)
       platform = AtomicLti::Platform.find_by(iss: request.params["iss"])
       if !platform
-        raise AtomicLti::Exceptions::NoLTIPlatform(iss: request.params["iss"])
+        raise AtomicLti::Exceptions::NoLTIPlatform.new("No platform was found for iss: #{request.params['iss']}")
       end
 
       uri = URI.parse(platform.oidc_url)
@@ -268,5 +339,13 @@ module AtomicLti
 
       [uri.to_s, "?", auth_params.to_query].join
     end
+
+    def build_lti_storage_params(request, platform)
+      {
+        target: request.params["lti_storage_target"],
+        originSupportBroken: !AtomicLti.set_post_message_origin,
+        platformOIDCUrl: platform.oidc_url,
+      }
+    end
   end
 end

data/lib/atomic_lti/version.rb

@@ -1,3 +1,3 @@
 module AtomicLti
-  VERSION = '1.3.0'
+  VERSION = "1.5.0".freeze
 end

data/lib/atomic_lti.rb

@@ -4,6 +4,7 @@ require "atomic_lti/open_id_middleware"
 require "atomic_lti/error_handling_middleware"
 require_relative "../app/lib/atomic_lti/definitions"
 require_relative "../app/lib/atomic_lti/exceptions"
+require_relative "../app/lib/atomic_lti/role_enforcement_mode"
 module AtomicLti
 
   # Set this to true to scope context_id's to the ISS rather than
@@ -18,7 +19,33 @@ module AtomicLti
   mattr_accessor :target_link_path_prefixes
   mattr_accessor :default_deep_link_path
   mattr_accessor :jwt_secret
-  mattr_accessor :scopes
+  mattr_accessor :scopes, default: AtomicLti::Definitions.scopes.join(" ")
+
+  # Set to true to enforce CSRF protection, either via cookies or postMessage
+  mattr_accessor :enforce_csrf_protection, default: true
+
+  # Set to true to use LTI postMessage storage for csrf token storage
+  # with this enabled we can operate without cookies
+  mattr_accessor :use_post_message_storage, default: true
+
+  # Set to true to set the targetOrigin on postMessage calls. The LTI spec
+  # requires this, but Canvas doesn't currently support it.
+  mattr_accessor :set_post_message_origin, default: false
+
+  mattr_accessor :privacy_policy_url, default: "#"
+  mattr_accessor :privacy_policy_message, default: nil
+
+  # https://www.imsglobal.org/spec/lti/v1p3#anonymous-launch-case
+  # 'anonymous' here means that the launch does not include a 'sub' field. In
+  # Canvas, this means the user is not logged in at all. If you enable this
+  # option, you will likely have to adjust application code to accommodate
+  mattr_accessor :allow_anonymous_user, default: false
+
+  # https://www.imsglobal.org/spec/lti/v1p3#role-vocabularies
+  # Determines how strictly to enforce the role vocabulary. The options are:
+  # - "DEFAULT" which means that unknown roles are allowed to be the only roles in the token.
+  # - "STRICT" which means that unknown roles are not allowed to be the only roles in the token.
+  mattr_accessor :role_enforcement_mode, default: AtomicLti::RoleEnforcementMode::DEFAULT
 
   def self.get_deployments(iss:, deployment_ids:)
     AtomicLti::Deployment.where(iss: iss, deployment_id: deployment_ids)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: atomic_lti
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.5.0
 platform: ruby
 authors:
 - Matt Petro
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-22 00:00:00.000000000 Z
+date: 2023-08-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pg
@@ -56,8 +56,10 @@ files:
 - app/assets/config/atomic_lti_manifest.js
 - app/assets/stylesheets/atomic_lti/application.css
 - app/assets/stylesheets/atomic_lti/jwks.css
+- app/assets/stylesheets/atomic_lti/launch.css
 - app/controllers/atomic_lti/jwks_controller.rb
 - app/helpers/atomic_lti/launch_helper.rb
+- app/javascript/atomic_lti/init_app.js
 - app/jobs/atomic_lti/application_job.rb
 - app/lib/atomic_lti/auth_token.rb
 - app/lib/atomic_lti/authorization.rb
@@ -68,6 +70,7 @@ files:
 - app/lib/atomic_lti/lti.rb
 - app/lib/atomic_lti/open_id.rb
 - app/lib/atomic_lti/params.rb
+- app/lib/atomic_lti/role_enforcement_mode.rb
 - app/lib/atomic_lti/services/base.rb
 - app/lib/atomic_lti/services/line_items.rb
 - app/lib/atomic_lti/services/names_and_roles.rb
@@ -85,6 +88,8 @@ files:
 - app/models/atomic_lti/platform.rb
 - app/models/atomic_lti/platform_instance.rb
 - app/views/atomic_lti/launches/index.html.erb
+- app/views/atomic_lti/shared/error.html.erb
+- app/views/atomic_lti/shared/init.html.erb
 - app/views/atomic_lti/shared/redirect.html.erb
 - app/views/layouts/atomic_lti/application.html.erb
 - config/routes.rb
@@ -96,6 +101,7 @@ files:
 - db/migrate/20220428175423_create_atomic_lti_oauth_states.rb
 - db/migrate/20220503003528_create_atomic_lti_jwks.rb
 - db/migrate/20221010140920_create_open_id_state.rb
+- db/migrate/20230726040941_add_state_to_open_id_state.rb
 - db/seeds.rb
 - lib/atomic_lti.rb
 - lib/atomic_lti/engine.rb
@@ -124,7 +130,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.4.15
 signing_key:
 specification_version: 4
 summary: AtomicLti implements the LTI Advantage specification.