atomic_lti 1.3.1 → 1.5.1

data/app/assets/stylesheets/atomic_lti/launch.css

@@ -0,0 +1,95 @@
+.aj-centered-message {
+  max-width: 600px;
+  margin: 48px auto 0;
+  border: 1px solid #ccc;
+  padding: 24px 32px;
+  border-radius: 10px;
+}
+
+.aj-icon {
+  width: 24px;
+  color: #333;
+}
+
+.aj-title {
+  font-family: 'Lato', 'Helvetica Nue', Helvetica, Arial sans-serif;
+  font-weight: 400;
+  font-size: 20px;
+  line-height: 1;
+  gap: 12px;
+  color: #333;
+  display: flex;
+  align-items: center;
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+  text-shadow: 1px 1px 1px rgba(0, 0, 0, 0.004);
+}
+
+.u-flex {
+  display: flex;
+  gap: 12px;
+  margin-top: 12px;
+}
+
+.u-flex > * {
+  margin: 0;
+}
+
+.aj-text.aj-text--small {
+  font-weight: 400;
+  font-size: 13px;
+  margin-top: 20px;
+}
+
+.aj-text {
+  font-family: 'Lato', 'Helvetica Nue', Helvetica, Arial sans-serif;
+  font-weight: 400;
+  font-size: 16px;
+  line-height: 1.4;
+  color: #333;
+  max-width: 600px;
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+  text-shadow: 1px 1px 1px rgba(0, 0, 0, 0.004);
+}
+
+.aj-btn.aj-btn--blue:hover:enabled, a.aj-btn.aj-btn--blue:hover:enabled {
+    box-shadow: 0 3px 4px rgba(0, 50, 150, 0.3);
+    background-color: #2D7DAE;
+}
+
+.aj-btn:hover:enabled, a.aj-btn:hover:enabled {
+    cursor: pointer;
+    background-color: #efefef;
+}
+
+.aj-btn.aj-btn--blue:disabled {
+    opacity: 0.5;
+}
+
+.aj-btn.aj-btn--blue, a.aj-btn.aj-btn--blue {
+    font-family: "Lato", "Helvetica Nue", Helvetica, Arial sans-serif;
+    font-weight: 700;
+    background-color: #2D7DAE;
+    border: none;
+    font-size: 16px;
+    line-height: 27px;
+    text-align: left;
+    color: #ffffff;
+    border-radius: none;
+    border: 2px solid #2D7DAE;
+}
+
+.aj-btn, a.aj-btn {
+    height: 40px;
+    display: inline-flex;
+    align-items: center;
+    gap: 12px;
+    justify-content: center;
+    border-radius: 5px;
+    white-space: nowrap;
+    position: relative;
+    isolation: isolate;
+    padding: 0 12px;
+    text-decoration: none;
+}

data/app/javascript/atomic_lti/init_app.js

@@ -0,0 +1,3 @@
+import { InitOIDCLaunch } from '@atomicjolt/lti-client/src/init';
+
+InitOIDCLaunch(window.SETTINGS);

data/app/lib/atomic_lti/authorization.rb

@@ -5,10 +5,10 @@ module AtomicLti
 
     AUTHORIZATION_TRIES = 3
     # Validates a token provided by an LTI consumer
-    def self.validate_token(token)
+    def self.validate_token(id_token)
       # Get the iss value from the original request during the oidc call.
       # Use that value to figure out which jwk we should use.
-      decoded_token = JWT.decode(token, nil, false)
+      decoded_token = JWT.decode(id_token, nil, false)
 
       iss = decoded_token.dig(0, "iss")
 
@@ -31,8 +31,8 @@ module AtomicLti
         jwks
       end
 
-      lti_token, _keys = JWT.decode(token, nil, true, { algorithms: ["RS256"], jwks: jwk_loader })
-      lti_token
+      id_token_decoded, _keys = JWT.decode(id_token, nil, true, { algorithms: ["RS256"], jwks: jwk_loader })
+      id_token_decoded
     end
 
     def self.sign_tool_jwt(payload)
@@ -73,19 +73,26 @@ module AtomicLti
       sign_tool_jwt(payload)
     end
 
-    def self.request_token(iss:, deployment_id:)
+    def self.request_token(iss:, deployment_id:, scopes: nil)
       deployment = AtomicLti::Deployment.find_by(iss: iss, deployment_id: deployment_id)
 
       raise AtomicLti::Exceptions::NoLTIDeployment.new(iss: iss, deployment_id: deployment_id) if deployment.nil?
 
-      cache_key = "#{deployment.cache_key_with_version}/services_authorization"
+      scopestr = if scopes
+                   scopes.sort.join(" ")
+                 else
+                   AtomicLti.scopes
+                 end
+
+      # Token is cached based on deployment id and requested scopes
+      cache_key = "#{deployment.cache_key}/#{Digest::SHA1.hexdigest(scopestr)}/services_authorization"
       tries = 1
 
       begin
         authorization = Rails.cache.read(cache_key)
         return authorization if authorization.present?
 
-        authorization = request_token_uncached(iss: iss, deployment_id: deployment_id)
+        authorization = request_token_uncached(iss: iss, deployment_id: deployment_id, scopes: scopestr)
 
         # Subtract a few seconds so we don't use an expired token
         expires_in = authorization["expires_in"].to_i - 10
@@ -109,13 +116,13 @@ module AtomicLti
       authorization
     end
 
-    def self.request_token_uncached(iss:, deployment_id:)
+    def self.request_token_uncached(iss:, deployment_id:, scopes:)
       # Details here:
       # https://www.imsglobal.org/spec/security/v1p0/#using-json-web-tokens-with-oauth-2-0-client-credentials-grant
       body = {
         grant_type: "client_credentials",
         client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-        scope: AtomicLti.scopes,
+        scope: scopes,
         client_assertion: client_assertion(iss: iss, deployment_id: deployment_id),
       }
       headers = {

data/app/lib/atomic_lti/definitions.rb

@@ -67,13 +67,13 @@ module AtomicLti
       ]
     end
 
-    CANVAS_PUBLIC_LTI_KEYS_URL = "https://canvas.instructure.com/api/lti/security/jwks".freeze
-    CANVAS_OIDC_URL = "https://canvas.instructure.com/api/lti/authorize_redirect".freeze
-    CANVAS_AUTH_TOKEN_URL = "https://canvas.instructure.com/login/oauth2/token".freeze
+    CANVAS_PUBLIC_LTI_KEYS_URL = "https://sso.canvaslms.com/api/lti/security/jwks".freeze
+    CANVAS_OIDC_URL = "https://sso.canvaslms.com/api/lti/authorize_redirect".freeze
+    CANVAS_AUTH_TOKEN_URL = "https://sso.canvaslms.com/login/oauth2/token".freeze
 
-    CANVAS_BETA_PUBLIC_LTI_KEYS_URL = "https://canvas.beta.instructure.com/api/lti/security/jwks".freeze
-    CANVAS_BETA_AUTH_TOKEN_URL = "https://canvas.beta.instructure.com/login/oauth2/token".freeze
-    CANVAS_BETA_OIDC_URL = "https://canvas.beta.instructure.com/api/lti/authorize_redirect".freeze
+    CANVAS_BETA_PUBLIC_LTI_KEYS_URL = "https://sso.beta.canvaslms.com/api/lti/security/jwks".freeze
+    CANVAS_BETA_OIDC_URL = "https://sso.beta.canvaslms.com/api/lti/authorize_redirect".freeze
+    CANVAS_BETA_AUTH_TOKEN_URL = "https://sso.beta.canvaslms.com/login/oauth2/token".freeze
 
     CANVAS_SUBMISSION_TYPE = "https://canvas.instructure.com/lti/submission_type".freeze
 
@@ -115,6 +115,38 @@ module AtomicLti
     MEMBER_CONTEXT_ROLE = "http://purl.imsglobal.org/vocab/lis/v2/membership#Member".freeze
     OFFICER_CONTEXT_ROLE = "http://purl.imsglobal.org/vocab/lis/v2/membership#Officer".freeze
 
+    ROLES = [
+      ADMINISTRATOR_SYSTEM_ROLE,
+      NONE_SYSTEM_ROLE,
+      ACCOUNT_ADMIN_SYSTEM_ROLE,
+      CREATOR_SYSTEM_ROLE,
+      SYS_ADMIN_SYSTEM_ROLE,
+      SYS_SUPPORT_SYSTEM_ROLE,
+      USER_SYSTEM_ROLE,
+      ADMINISTRATOR_INSTITUTION_ROLE,
+      FACULTY_INSTITUTION_ROLE,
+      GUEST_INSTITUTION_ROLE,
+      NONE_INSTITUTION_ROLE,
+      OTHER_INSTITUTION_ROLE,
+      STAFF_INSTITUTION_ROLE,
+      STUDENT_INSTITUTION_ROLE,
+      ALUMNI_INSTITUTION_ROLE,
+      INSTRUCTOR_INSTITUTION_ROLE,
+      LEARNER_INSTITUTION_ROLE,
+      MEMBER_INSTITUTION_ROLE,
+      MENTOR_INSTITUTION_ROLE,
+      OBSERVER_INSTITUTION_ROLE,
+      PROSPECTIVE_STUDENT_INSTITUTION_ROLE,
+      ADMINISTRATOR_CONTEXT_ROLE,
+      CONTENT_DEVELOPER_CONTEXT_ROLE,
+      INSTRUCTOR_CONTEXT_ROLE,
+      LEARNER_CONTEXT_ROLE,
+      MENTOR_CONTEXT_ROLE,
+      MANAGER_CONTEXT_ROLE,
+      MEMBER_CONTEXT_ROLE,
+      OFFICER_CONTEXT_ROLE,
+    ].freeze
+
     ADMINISTRATOR_ROLES = [
       ADMINISTRATOR_SYSTEM_ROLE,
       ACCOUNT_ADMIN_SYSTEM_ROLE,

data/app/lib/atomic_lti/exceptions.rb

@@ -1,7 +1,7 @@
 module AtomicLti
   module Exceptions
 
-    # General exceptions
+    # LTI data related exceptions
     class AtomicLtiException < StandardError
     end
 
@@ -20,15 +20,9 @@ module AtomicLti
     class StateError < AtomicLtiException
     end
 
-    class OpenIDStateError < AtomicLtiException
-    end
-
     class OpenIDRedirectError < AtomicLtiException
     end
 
-    class JwtIssueError < AtomicLtiException
-    end
-
     class LineItemMissing < LineItemError
     end
 
@@ -50,18 +44,28 @@ module AtomicLti
       end
     end
 
-    class NoLTIToken < AtomicLtiException
-      def initialize(msg = "No LTI token provided")
+    # Authorization errors
+    class AtomicLtiAuthException < StandardError
+    end
+
+    class InvalidLTIToken < AtomicLtiAuthException
+      def initialize(msg = "Invalid LTI token provided")
         super(msg)
       end
     end
 
-    class InvalidLTIToken < AtomicLtiException
-      def initialize(msg = "Invalid LTI token provided")
+    class JwtIssueError < AtomicLtiAuthException
+    end
+
+    class NoLTIToken < AtomicLtiAuthException
+      def initialize(msg = "No LTI token provided")
         super(msg)
       end
     end
 
+    class OpenIDStateError < AtomicLtiAuthException
+    end
+
     # Not found exceptions
     class AtomicLtiNotFoundException < StandardError
     end

data/app/lib/atomic_lti/lti.rb

@@ -12,7 +12,7 @@ module AtomicLti
         errors.push("LTI token is missing required field iss")
       end
 
-      if decoded_token["sub"].blank?
+      if decoded_token["sub"].blank? && !AtomicLti.allow_anonymous_user
         errors.push("LTI token is missing required field sub")
       end
 
@@ -51,6 +51,14 @@ module AtomicLti
         )
       end
 
+      roles = decoded_token[AtomicLti::Definitions::ROLES_CLAIM]
+      if AtomicLti.role_enforcement_mode == AtomicLti::RoleEnforcementMode::STRICT && roles.is_a?(Array) && !roles.empty?
+        invalid_roles = roles - AtomicLti::Definitions::ROLES
+        if invalid_roles.length == roles.length
+          errors.push("LTI token has invalid roles: #{invalid_roles.join(", ")}")
+        end
+      end
+
       if errors.length > 0
         raise AtomicLti::Exceptions::InvalidLTIToken.new(errors.join(" "))
       end
@@ -69,7 +77,7 @@ module AtomicLti
 
       if decoded_token[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM].blank?
         errors.push(
-          "LTI token is missing required claim #{AtomicLti::Definitions::TARGET_LINK_URI_CLAIM}"
+          "LTI token is missing required claim #{AtomicLti::Definitions::TARGET_LINK_URI_CLAIM}",
         )
       end
 
@@ -77,19 +85,19 @@ module AtomicLti
       target_link_uri = decoded_token[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM]
       if validate_target_link_url && target_link_uri != requested_target_link_uri
         errors.push(
-          "LTI token target link uri '#{target_link_uri}' doesn't match url '#{requested_target_link_uri}'"
+          "LTI token target link uri '#{target_link_uri}' doesn't match url '#{requested_target_link_uri}'",
         )
       end
 
       if decoded_token[AtomicLti::Definitions::RESOURCE_LINK_CLAIM].blank?
         errors.push(
-          "LTI token is missing required claim #{AtomicLti::Definitions::RESOURCE_LINK_CLAIM}"
+          "LTI token is missing required claim #{AtomicLti::Definitions::RESOURCE_LINK_CLAIM}",
         )
       end
 
       if decoded_token.dig(AtomicLti::Definitions::RESOURCE_LINK_CLAIM, "id").blank?
         errors.push(
-          "LTI token is missing required field id from the claim #{AtomicLti::Definitions::RESOURCE_LINK_CLAIM}"
+          "LTI token is missing required field id from the claim #{AtomicLti::Definitions::RESOURCE_LINK_CLAIM}",
         )
       end
 

data/app/lib/atomic_lti/open_id.rb

@@ -1,22 +1,34 @@
 module AtomicLti
   class OpenId
-    def self.validate_open_id_state(state)
-      state = AtomicLti::AuthToken.decode(state)[0]
-      if open_id_state = AtomicLti::OpenIdState.find_by(nonce: state["nonce"])
-        open_id_state.destroy
-        true
-      else
-        false
+    def self.validate_state(nonce, state)
+      if state.blank?
+        return false
       end
-    rescue StandardError => e
-      Rails.logger.info("Error decoding token: #{e} - #{e.backtrace}")
-      false
+
+      open_id_state = AtomicLti::OpenIdState.find_by(state: state)
+      if !open_id_state
+        return false
+      end
+
+      open_id_state.destroy
+
+      # Check that the state hasn't expired
+      if open_id_state.created_at < 10.minutes.ago
+        return false
+      end
+
+      if nonce != open_id_state.nonce
+        return false
+      end
+
+      true
     end
 
-    def self.state
+    def self.generate_state
       nonce = SecureRandom.hex(64)
-      AtomicLti::OpenIdState.create!(nonce: nonce)
-      AtomicLti::AuthToken.issue_token({ nonce: nonce })
+      state = SecureRandom.hex(32)
+      AtomicLti::OpenIdState.create!(nonce: nonce, state: state)
+      [nonce, state]
     end
   end
 end

data/app/lib/atomic_lti/params.rb

@@ -3,8 +3,8 @@ module AtomicLti
   class Params
     attr_reader :token
 
-    def initialize(lti_token)
-      @token = lti_token.with_indifferent_access
+    def initialize(id_token_decoded)
+      @token = id_token_decoded.with_indifferent_access
     end
 
     def lti_advantage?

data/app/lib/atomic_lti/role_enforcement_mode.rb

@@ -0,0 +1,8 @@
+module AtomicLti
+  module RoleEnforcementMode
+    # Unkown roles are allowed to be the only role in the roles claim
+    DEFAULT = "DEFAULT".freeze
+    # Unkown roles are not allowed to be the only roles in the roles claim
+    STRICT = "STRICT".freeze
+  end
+end

data/app/lib/atomic_lti/services/base.rb

@@ -2,23 +2,24 @@ module AtomicLti
   module Services
     class Base
 
-      def initialize(lti_token: nil, iss: nil, deployment_id: nil)
-
+      def initialize(id_token_decoded: nil, iss: nil, deployment_id: nil)
         token_iss = nil
         token_deployment_id = nil
 
-        if lti_token.present?
-          token_iss = lti_token.dig('iss')
-          token_deployment_id = lti_token.dig(AtomicLti::Definitions::DEPLOYMENT_ID)
+        if id_token_decoded.present?
+          token_iss = id_token_decoded["iss"]
+          token_deployment_id = id_token_decoded[AtomicLti::Definitions::DEPLOYMENT_ID]
         end
 
-        @lti_token = lti_token
+        @id_token_decoded = id_token_decoded
         @iss = iss || token_iss
         @deployment_id = deployment_id || token_deployment_id
       end
 
+      def scopes; end
+
       def headers(options = {})
-        @token ||= AtomicLti::Authorization.request_token(iss: @iss, deployment_id: @deployment_id)
+        @token ||= AtomicLti::Authorization.request_token(iss: @iss, deployment_id: @deployment_id, scopes: scopes)
         {
           "Authorization" => "Bearer #{@token['access_token']}",
         }.merge(options)

data/app/lib/atomic_lti/services/line_items.rb

@@ -3,12 +3,17 @@ module AtomicLti
     # Canvas API docs https://canvas.instructure.com/doc/api/line_items.html
     class LineItems < AtomicLti::Services::Base
 
-      def endpoint(lti_token)
-        url = lti_token.dig(AtomicLti::Definitions::AGS_CLAIM, "lineitems")
+      def endpoint(id_token_decoded)
+        url = id_token_decoded.dig(AtomicLti::Definitions::AGS_CLAIM, "lineitems")
         raise AtomicLti::Exceptions::LineItemError, "Unable to access line items" unless url.present?
+
         url
       end
 
+      def scopes
+        @id_token_decoded&.dig(AtomicLti::Definitions::AGS_CLAIM, "scope")
+      end
+
       # Helper method to generate a default set of attributes
       def self.generate(
         label:,
@@ -27,8 +32,8 @@ module AtomicLti
           tag: tag,
           startDateTime: start_date_time,
           endDateTime: end_date_time,
+          resourceLinkId: resource_link_id,
         }.compact
-        attrs["resourceLinkId"] = resource_link_id if resource_link_id
         if external_tool_url
           attrs[AtomicLti::Definitions::CANVAS_SUBMISSION_TYPE] = {
             type: "external_tool",
@@ -42,14 +47,14 @@ module AtomicLti
         self.class.generate(**attrs)
       end
 
-      def self.can_manage_line_items?(lti_token)
-        lti_token.dig(AtomicLti::Definitions::AGS_CLAIM, "scope")&.
+      def self.can_manage_line_items?(id_token_decoded)
+        id_token_decoded.dig(AtomicLti::Definitions::AGS_CLAIM, "scope")&.
           include?(AtomicLti::Definitions::AGS_SCOPE_LINE_ITEM)
       end
 
-      def self.can_query_line_items?(lti_token)
-        can_manage_line_items?(lti_token) ||
-          lti_token.dig(AtomicLti::Definitions::AGS_CLAIM, "scope").
+      def self.can_query_line_items?(id_token_decoded)
+        can_manage_line_items?(id_token_decoded) ||
+          id_token_decoded.dig(AtomicLti::Definitions::AGS_CLAIM, "scope").
             include?(AtomicLti::Definitions::AGS_SCOPE_LINE_ITEM_READONLY)
       end
 
@@ -57,7 +62,7 @@ module AtomicLti
       # Canvas: https://canvas.beta.instructure.com/doc/api/line_items.html#method.lti/ims/line_items.index
       def list(query = {})
         accept = { "Accept" => "application/vnd.ims.lis.v2.lineitemcontainer+json" }
-        HTTParty.get(endpoint(@lti_token), headers: headers(accept), query: query)
+        HTTParty.get(endpoint(@id_token_decoded), headers: headers(accept), query: query)
       end
 
       # Get a specific line item
@@ -72,7 +77,7 @@ module AtomicLti
       # Canvas: https://canvas.beta.instructure.com/doc/api/line_items.html#method.lti/ims/line_items.create
       def create(attrs = nil)
         content_type = { "Content-Type" => "application/vnd.ims.lis.v2.lineitem+json" }
-        HTTParty.post(endpoint(@lti_token), body: JSON.dump(attrs), headers: headers(content_type))
+        HTTParty.post(endpoint(@id_token_decoded), body: JSON.dump(attrs), headers: headers(content_type))
       end
 
       # Update a line item

data/app/lib/atomic_lti/services/names_and_roles.rb

@@ -2,12 +2,16 @@ module AtomicLti
   module Services
     class NamesAndRoles < AtomicLti::Services::Base
 
-      def initialize(lti_token:)
-        super(lti_token: lti_token)
+      def initialize(id_token_decoded:)
+        super(id_token_decoded: id_token_decoded)
+      end
+
+      def scopes
+        [AtomicLti::Definitions::NAMES_AND_ROLES_SCOPE]
       end
 
       def endpoint
-        url = @lti_token.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM, "context_memberships_url")
+        url = @id_token_decoded.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM, "context_memberships_url")
         raise AtomicLti::Exceptions::NamesAndRolesError, "Unable to access names and roles" unless url.present?
 
         url
@@ -19,15 +23,15 @@ module AtomicLti
         url
       end
 
-      def self.enabled?(lti_token)
-        return false unless lti_token&.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM)
+      def self.enabled?(id_token_decoded)
+        return false unless id_token_decoded&.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM)
 
         (AtomicLti::Definitions::NAMES_AND_ROLES_SERVICE_VERSIONS &
-          (lti_token.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM, "service_versions") || [])).present?
+          (id_token_decoded.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM, "service_versions") || [])).present?
       end
 
       def valid?
-        self.class.enabled?(@lti_token)
+        self.class.enabled?(@id_token_decoded)
       end
 
       # List names and roles

data/app/lib/atomic_lti/services/results.rb

@@ -3,6 +3,10 @@ module AtomicLti
     # Canvas API docs: https://canvas.instructure.com/doc/api/result.html
     class Results < AtomicLti::Services::Base
 
+      def scopes
+        [AtomicLti::Definitions::AGS_SCOPE_RESULT]
+      end
+
       def list(line_item_id)
         url = "#{line_item_id}/results"
         HTTParty.get(url, headers: headers)

data/app/lib/atomic_lti/services/score.rb

@@ -5,18 +5,22 @@ module AtomicLti
 
       attr_accessor :id
 
-      def initialize(lti_token: nil, iss:nil, deployment_id: nil, id: nil)
-        super(lti_token: lti_token, iss: iss, deployment_id: deployment_id)
+      def initialize(id_token_decoded: nil, iss: nil, deployment_id: nil, id: nil)
+        super(id_token_decoded: id_token_decoded, iss: iss, deployment_id: deployment_id)
         @id = id
       end
 
+      def scopes
+        [AtomicLti::Definitions::AGS_SCOPE_SCORE]
+      end
+
       def endpoint
         if id.blank?
           raise ::AtomicLti::Exceptions::ScoreError,
                 "Invalid id or no id provided. Unable to access scores. id should be in the form of a url."
         end
         uri = URI(id)
-        uri.path = uri.path+'/scores'
+        uri.path = "#{uri.path}/scores"
         uri
       end
 
@@ -52,7 +56,7 @@ module AtomicLti
           # values will require no action. Possible values are NotReady, Failed, Pending,
           # PendingManual, FullyGraded
           gradingProgress: grading_progress,
-        }
+        }.compact
       end
 
       def send(attrs)

data/app/models/atomic_lti/jwk.rb

@@ -1,6 +1,6 @@
 module AtomicLti
   class Jwk < ApplicationRecord
-    before_create :generate_keys
+    before_create :ensure_keys_exist
 
     def generate_keys
       pkey = OpenSSL::PKey::RSA.generate(2048)
@@ -37,5 +37,14 @@ module AtomicLti
     def self.current_jwk
       self.last
     end
+
+    private
+
+    def ensure_keys_exist
+      if kid.blank?
+        generate_keys
+      end
+    end
+
   end
 end

data/app/models/atomic_lti/open_id_state.rb

@@ -1,5 +1,6 @@
 module AtomicLti
   class OpenIdState < ApplicationRecord
     validates :nonce, presence: true, uniqueness: true
+    validates :state, presence: true, uniqueness: true
   end
 end

data/app/views/atomic_lti/shared/error.html.erb

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <%= stylesheet_link_tag    "atomic_lti/launch" %>
+    <link href="https://fonts.googleapis.com/icon?family=Material+Icons+Outlined" rel="stylesheet">
+  </head>
+  <body>
+    <div class="aj-main">
+      <div class="aj-error">
+        <h1 class="aj-title">
+          <i class="material-icons-outlined aj-icon" aria-hidden="true">error</i>
+          <%= @message %>
+        </h1>
+      </div>
+    </div>
+  </body>
+</html>

data/app/views/atomic_lti/shared/init.html.erb

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <style>
+      .hidden { display: none !important; }
+    </style>
+    <link href="https://fonts.googleapis.com/icon?family=Material+Icons+Outlined" rel="stylesheet">
+    <%= stylesheet_link_tag "atomic_lti/launch" %>
+    <%= javascript_include_tag "atomic_lti/init_app" %>
+  </head>
+  <body>
+    <noscript>
+      <div class="u-flex">
+        <i class="material-icons-outlined aj-icon" aria-hidden="true">warning</i>
+        <p class="aj-text">
+          You must have javascript enabled to use this application.
+        </p>
+      </div>
+    </noscript>
+    <div id="main-content">
+    </div>
+    <script type="text/javascript">
+      InitOIDCLaunch(window.SETTINGS);
+    </script>
+  </body>
+</html>