@lti-tool/core 0.11.0 → 0.12.0

package/dist/services/dynamicRegistration.service.js

@@ -0,0 +1,312 @@
+import { openIDConfigurationSchema, } from '../schemas/lti13/dynamicRegistration/openIDConfiguration.schema.js';
+import { handleMoodleDynamicRegistration, postRegistrationToMoodle, } from './dynamicRegistrationHandlers/moodle.js';
+/**
+ * Service for handling LTI 1.3 dynamic registration workflows.
+ *
+ * Provides a complete implementation of the LTI 1.3 Dynamic Registration specification,
+ * enabling tools to automatically register with LTI platforms without manual configuration.
+ * Handles the full registration lifecycle from initiation to completion with security validation.
+ *
+ * ## Key Features
+ * - **Platform Discovery**: Fetches and validates OpenID Connect configuration from LTI platforms
+ * - **Security Validation**: Enforces hostname matching and session-based CSRF protection
+ * - **Vendor Support**: Provides platform-specific registration forms (Moodle, with extensibility for Canvas, Sakai, etc.)
+ * - **Service Selection**: Allows administrators to choose which LTI Advantage services to enable (AGS, NRPS, Deep Linking)
+ * - **Automatic Storage**: Persists client and deployment configurations for future launches
+ *
+ * ## Registration Flow
+ * 1. **Initiation**: Platform redirects to tool with registration request
+ * 2. **Discovery**: Tool fetches platform's OpenID Connect configuration
+ * 3. **Form Generation**: Tool presents service selection form to administrator
+ * 4. **Registration**: Tool submits registration payload to platform
+ * 5. **Storage**: Tool stores received client credentials and deployment information
+ *
+ * ## Security Features
+ * - Session-based registration with 15-minute expiration
+ * - CSRF protection via secure session tokens
+ * - Hostname validation between OIDC endpoint and issuer
+ * - One-time session consumption to prevent replay attacks
+ *
+ * @example
+ * ```typescript
+ * const service = new DynamicRegistrationService(
+ *   storage,
+ *   dynamicRegistrationConfig,
+ *   logger
+ * );
+ *
+ * // Initiate registration
+ * const formHtml = await service.initiateDynamicRegistration(request, '/lti/register');
+ *
+ * // Complete registration
+ * const successHtml = await service.completeDynamicRegistration(formData);
+ * ```
+ *
+ * @see https://www.imsglobal.org/spec/lti-dr/v1p0 LTI 1.3 Dynamic Registration specification
+ */
+export class DynamicRegistrationService {
+    storage;
+    dynamicRegistrationConfig;
+    logger;
+    constructor(storage, dynamicRegistrationConfig, logger) {
+        this.storage = storage;
+        this.dynamicRegistrationConfig = dynamicRegistrationConfig;
+        this.logger = logger;
+    }
+    /**
+     * Fetches and validates the OpenID Connect configuration from an LTI platform during dynamic registration.
+     * Validates that the OIDC endpoint and issuer have matching hostnames for security.
+     *
+     * @param registrationRequest - Registration request containing openid_configuration URL and optional registration_token
+     * @returns Validated OpenID configuration with platform endpoints and supported features
+     * @throws {Error} When the configuration fetch fails, validation fails, or hostname mismatch detected
+     */
+    async fetchPlatformConfiguration(registrationRequest) {
+        const { openid_configuration, registration_token } = registrationRequest;
+        const response = await fetch(openid_configuration, {
+            method: 'GET',
+            headers: {
+                // only include registration token if it was provided
+                ...(registration_token && { Authorization: `Bearer ${registration_token}` }),
+                Accept: 'application/json',
+            },
+        });
+        await this.validateDynamicRegistrationResponse(response, 'validateRegistrationRequest');
+        const data = await response.json();
+        const openIdConfiguration = openIDConfigurationSchema.parse(data);
+        this.logger.debug({ openIdConfiguration });
+        // validate that the endpoint and issuer have the same hostname
+        const oidcEndpoint = new URL(openid_configuration);
+        const { issuer } = openIdConfiguration;
+        const issuerEndpoint = new URL(issuer);
+        if (oidcEndpoint.hostname !== issuerEndpoint.hostname) {
+            const errorMessage = `OIDC endpoint and issuer in OIDC payload do not match, cannot continue. OIDC endpoint: ${oidcEndpoint} issuer endpoint: ${issuerEndpoint}`;
+            this.logger.error(errorMessage);
+            throw new Error(errorMessage);
+        }
+        // good to continue!
+        return openIdConfiguration;
+    }
+    /**
+     * Initiates LTI 1.3 dynamic registration by fetching platform configuration and generating registration form.
+     * Creates a temporary session and returns vendor-specific HTML form for service selection.
+     *
+     * @param registrationRequest - Registration request containing openid_configuration URL and optional registration_token
+     * @param requestPath - Current request path used to build form action URLs
+     * @returns HTML form for service selection and registration completion
+     * @throws {Error} When platform configuration fetch fails or session creation fails
+     */
+    async initiateDynamicRegistration(registrationRequest, requestPath) {
+        // 1. Validate request
+        const openIdConfiguration = await this.fetchPlatformConfiguration(registrationRequest);
+        // 2. generate and store session
+        const sessionToken = crypto.randomUUID();
+        await this.storage.setRegistrationSession(sessionToken, {
+            openIdConfiguration,
+            registrationToken: registrationRequest.registration_token,
+            expiresAt: Date.now() + 15 * 60 * 1000, // 15 minutes
+        });
+        // 3. build form based on LMS vendor
+        const { product_family_code } = openIdConfiguration['https://purl.imsglobal.org/spec/lti-platform-configuration'];
+        let html;
+        switch (product_family_code.toLowerCase()) {
+            case 'moodle':
+                html = handleMoodleDynamicRegistration(openIdConfiguration, requestPath, sessionToken);
+                break;
+            default:
+                html = handleMoodleDynamicRegistration(openIdConfiguration, requestPath, sessionToken);
+                break;
+        }
+        return html;
+    }
+    /**
+     * Completes LTI 1.3 dynamic registration by processing form submission and storing client configuration.
+     * Validates session, registers with platform, stores client/deployment data, and returns success page.
+     *
+     * @param dynamicRegistrationForm - Validated form data containing selected services and session token
+     * @returns HTML success page with registration details and close button
+     * @throws {Error} When session is invalid, registration fails, or storage operations fail
+     */
+    async completeDynamicRegistration(dynamicRegistrationForm) {
+        // 1. Verify session token
+        const session = await this.verifyRegistrationSession(dynamicRegistrationForm.sessionToken);
+        if (!session) {
+            throw new Error('Invalid or expired session');
+        }
+        // 1. build payload
+        const toolRegistrationPayload = this.buildRegistrationPayload(dynamicRegistrationForm.services ?? []);
+        // 2. Post request to Moodle
+        const registrationResponse = await postRegistrationToMoodle(session.openIdConfiguration.registration_endpoint, toolRegistrationPayload, this.logger, session.registrationToken);
+        // 3. save to storage
+        const clientId = await this.storage.addClient({
+            name: registrationResponse.client_name,
+            clientId: registrationResponse.client_id,
+            iss: session.openIdConfiguration.issuer,
+            jwksUrl: session.openIdConfiguration.jwks_uri,
+            authUrl: session.openIdConfiguration.authorization_endpoint,
+            tokenUrl: session.openIdConfiguration.token_endpoint,
+        });
+        const ltiToolConfig = registrationResponse['https://purl.imsglobal.org/spec/lti-tool-configuration'];
+        if (ltiToolConfig.deployment_id) {
+            await this.storage.addDeployment(clientId, {
+                deploymentId: ltiToolConfig.deployment_id,
+                name: 'Default Deployment via dynamic registration provided deployment id',
+            });
+        }
+        else {
+            // platform doesn't use a deployment id (canvas for example) - create default
+            await this.storage.addDeployment(clientId, {
+                deploymentId: 'default',
+                name: 'Default Deployment (Canvas-style)',
+            });
+        }
+        // 4. return success
+        const successHtml = this.getRegistrationSuccessHtml(registrationResponse);
+        return successHtml;
+    }
+    /**
+     * Verifies and consumes a registration session token for security validation.
+     * Retrieves the session data and immediately deletes it to prevent replay attacks.
+     *
+     * @param sessionToken - UUID session token from the registration form
+     * @returns Session data if valid and not expired, undefined otherwise
+     */
+    async verifyRegistrationSession(sessionToken) {
+        const session = await this.storage.getRegistrationSession(sessionToken);
+        if (session) {
+            await this.storage.deleteRegistrationSession(sessionToken);
+        }
+        return session;
+    }
+    /**
+     * Builds array of LTI message types based on selected services during registration.
+     * Always includes ResourceLinkRequest, conditionally adds DeepLinkingRequest.
+     *
+     * @param selectedServices - Array of service names selected by administrator
+     * @param deepLinkingUri - URI where deep linking requests should be sent
+     * @returns Array of LTI message configurations for the registration payload
+     */
+    buildMessages(selectedServices, deepLinkingUri) {
+        const messages = [];
+        messages.push({ type: 'LtiResourceLinkRequest' });
+        if (selectedServices?.includes('deep_linking')) {
+            messages.push({
+                type: 'LtiDeepLinkingRequest',
+                target_link_uri: deepLinkingUri,
+                label: 'Content Selection',
+                placements: ['ContentArea'], // Focus on content area only
+                supported_types: ['ltiResourceLink'], // Standard content selection
+            });
+        }
+        return messages;
+    }
+    /**
+     * Builds array of OAuth scopes based on selected LTI services during registration.
+     * Maps service selections to their corresponding LTI Advantage scope URIs.
+     *
+     * @param selectedServices - Array of service names selected by administrator ('ags', 'nrps', etc.)
+     * @returns Array of OAuth scope URIs to request from the platform
+     */
+    buildScopes(selectedServices) {
+        const scopes = [];
+        if (selectedServices?.includes('ags')) {
+            scopes.push('https://purl.imsglobal.org/spec/lti-ags/scope/lineitem', 'https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly', 'https://purl.imsglobal.org/spec/lti-ags/scope/score');
+        }
+        if (selectedServices?.includes('nrps')) {
+            scopes.push('https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly');
+        }
+        return scopes;
+    }
+    /**
+     * Constructs the complete tool registration payload for platform submission.
+     * Combines tool configuration, selected services, and OAuth parameters into LTI 1.3 registration format.
+     *
+     * @param selectedServices - Array of service names selected by administrator
+     * @returns Complete registration payload ready for platform submission
+     */
+    buildRegistrationPayload(selectedServices) {
+        const config = this.dynamicRegistrationConfig;
+        const deepLinkingUri = config.deepLinkingUri || `${config.url}/lti/deep-linking`;
+        const jwksUri = config.jwksUri || `${config.url}/lti/jwks`;
+        const launchUri = config.launchUri || `${config.url}/lti/launch`;
+        const loginUri = config.loginUri || `${config.url}/lti/login`;
+        const messages = this.buildMessages(selectedServices, deepLinkingUri);
+        const scopes = this.buildScopes(selectedServices);
+        const toolRegistrationPayload = {
+            application_type: 'web',
+            response_types: ['id_token'],
+            grant_types: ['implicit', 'client_credentials'],
+            initiate_login_uri: loginUri,
+            redirect_uris: [config.url, launchUri, ...(config.redirectUris || [])],
+            client_name: config.name,
+            jwks_uri: jwksUri,
+            logo_uri: config.logo,
+            scope: scopes.join(' '),
+            token_endpoint_auth_method: 'private_key_jwt',
+            'https://purl.imsglobal.org/spec/lti-tool-configuration': {
+                domain: new URL(config.url).hostname,
+                description: config.description,
+                target_link_uri: config.url,
+                claims: ['iss', 'sub', 'name', 'email'],
+                messages,
+            },
+        };
+        return toolRegistrationPayload;
+    }
+    async validateDynamicRegistrationResponse(response, operation) {
+        if (!response.ok) {
+            const error = await response.json();
+            this.logger.error({ error, status: response.status, statusText: response.statusText }, `Dynamic Registration ${operation} failed`);
+            throw new Error(`Dynamic Registration ${operation} failed: ${response.statusText} ${error}`);
+        }
+    }
+    getRegistrationSuccessHtml(registrationResponse) {
+        return `
+  <!doctype html>
+  <html lang="en">
+    <head>
+      <meta charset="utf-8">
+      <meta name="viewport" content="width=device-width, initial-scale=1">
+      <title>Registration Complete</title>
+      <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous">
+    </head>
+    <body class="container mt-4">
+      <div class="alert alert-success" role="alert">
+        <h4 class="alert-heading">Registration Successful!</h4>
+        <p>Your LTI tool has been successfully registered with the platform.</p>
+        <hr>
+        <p class="mb-0">You can now close this window and return to your LMS.</p>
+      </div>
+      
+      <div class="card">
+        <div class="card-header">
+          <h5 class="card-title mb-0">Registration Details</h5>
+        </div>
+        <div class="card-body">
+          <dl class="row">
+            <dt class="col-sm-3">Tool Name:</dt>
+            <dd class="col-sm-9">${registrationResponse.client_name}</dd>
+            <dt class="col-sm-3">Client ID:</dt>
+            <dd class="col-sm-9"><code>${registrationResponse.client_id}</code></dd>
+            <dt class="col-sm-3">Deployment ID:</dt>
+            <dd class="col-sm-9"><code>${registrationResponse['https://purl.imsglobal.org/spec/lti-tool-configuration'].deployment_id || 'default'}</code></dd>
+          </dl>
+        </div>
+      </div>
+      
+      <div class="mt-4 text-center">
+        <button type="button" class="btn btn-primary btn-lg" onclick="closeWindow()">
+          Close Window
+        </button>
+      </div>
+      
+      <script>
+        function closeWindow() {
+          (window.opener || window.parent).postMessage({subject:'org.imsglobal.lti.close'}, '*');
+        }
+      </script>
+      <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/js/bootstrap.bundle.min.js" integrity="sha384-FKyoEForCGlyvwx9Hj09JcYn3nv7wiPVlz7YYwJrWVcXK/BmnVDxM+D2scQbITxI" crossorigin="anonymous"></script>
+    </body>
+  </html>`;
+    }
+}

package/dist/services/dynamicRegistrationHandlers/moodle.d.ts

@@ -0,0 +1,48 @@
+import type { BaseLogger } from 'pino';
+import { type OpenIDConfiguration, type RegistrationResponse } from '../../schemas';
+/**
+ * Generates Moodle-specific dynamic registration form HTML with service selection options.
+ * Creates a Bootstrap 5 form that detects available LTI Advantage services from the platform
+ * configuration and presents them as selectable checkboxes to the administrator.
+ *
+ * @param openIdConfiguration - Platform's OpenID Connect configuration containing supported services
+ * @param currentPath - Current request path used to build the form submission URL
+ * @param sessionToken - Security token for CSRF protection and session validation
+ * @returns Complete HTML page with Bootstrap form for service selection
+ *
+ * @example
+ * ```typescript
+ * const html = handleMoodleDynamicRegistration(
+ *   platformConfig,
+ *   '/lti/register',
+ *   'uuid-session-token'
+ * );
+ * // Returns HTML form with AGS, NRPS, and Deep Linking options if supported
+ * ```
+ */
+export declare function handleMoodleDynamicRegistration(openIdConfiguration: OpenIDConfiguration, currentPath: string, sessionToken: string): string;
+/**
+ * Submits tool registration payload to Moodle's dynamic registration endpoint.
+ * Handles the HTTP communication with proper authentication, error handling, and response validation.
+ * Validates the registration response against the LTI 1.3 specification schema.
+ *
+ * @param registrationEndpoint - Platform's registration endpoint URL from OpenID configuration
+ * @param registrationPayload - Complete tool registration payload with OAuth and LTI configuration
+ * @param logger - Pino logger instance for request/response logging and error tracking
+ * @param registrationToken - Optional bearer token for authenticated registration requests
+ * @returns Validated registration response containing client credentials and deployment information
+ * @throws {Error} When registration request fails or response validation fails
+ *
+ * @example
+ * ```typescript
+ * const response = await postRegistrationToMoodle(
+ *   'https://moodle.edu/mod/lti/register.php',
+ *   registrationPayload,
+ *   logger,
+ *   'optional-bearer-token'
+ * );
+ * console.log('Registered with client ID:', response.client_id);
+ * ```
+ */
+export declare function postRegistrationToMoodle(registrationEndpoint: string, registrationPayload: unknown, logger: BaseLogger, registrationToken?: string): Promise<RegistrationResponse>;
+//# sourceMappingURL=moodle.d.ts.map

package/dist/services/dynamicRegistrationHandlers/moodle.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"moodle.d.ts","sourceRoot":"","sources":["../../../src/services/dynamicRegistrationHandlers/moodle.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,EAEL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EAC1B,MAAM,eAAe,CAAC;AAQvB;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,wBAAgB,+BAA+B,CAC7C,mBAAmB,EAAE,mBAAmB,EACxC,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GACnB,MAAM,CA2FR;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,wBAAwB,CAC5C,oBAAoB,EAAE,MAAM,EAC5B,mBAAmB,EAAE,OAAO,EAC5B,MAAM,EAAE,UAAU,EAClB,iBAAiB,CAAC,EAAE,MAAM,GACzB,OAAO,CAAC,oBAAoB,CAAC,CAuB/B"}

package/dist/services/dynamicRegistrationHandlers/moodle.js

@@ -0,0 +1,152 @@
+import { RegistrationResponseSchema, } from '../../schemas';
+import { getAGSScopes, hasAGSSupport, hasDeepLinkingSupport, hasNRPSSupport, } from '../../utils/ltiPlatformCapabilities';
+/**
+ * Generates Moodle-specific dynamic registration form HTML with service selection options.
+ * Creates a Bootstrap 5 form that detects available LTI Advantage services from the platform
+ * configuration and presents them as selectable checkboxes to the administrator.
+ *
+ * @param openIdConfiguration - Platform's OpenID Connect configuration containing supported services
+ * @param currentPath - Current request path used to build the form submission URL
+ * @param sessionToken - Security token for CSRF protection and session validation
+ * @returns Complete HTML page with Bootstrap form for service selection
+ *
+ * @example
+ * ```typescript
+ * const html = handleMoodleDynamicRegistration(
+ *   platformConfig,
+ *   '/lti/register',
+ *   'uuid-session-token'
+ * );
+ * // Returns HTML form with AGS, NRPS, and Deep Linking options if supported
+ * ```
+ */
+// oxlint-disable-next-line max-lines-per-function
+export function handleMoodleDynamicRegistration(openIdConfiguration, currentPath, sessionToken) {
+    const hasAGS = hasAGSSupport(openIdConfiguration);
+    const hasNRPS = hasNRPSSupport(openIdConfiguration);
+    const hasDeepLinking = hasDeepLinkingSupport(openIdConfiguration);
+    const agsScopes = getAGSScopes(openIdConfiguration);
+    // Build complete action from current path
+    const completeAction = `${currentPath}/complete`;
+    return `
+    <!doctype html>
+    <html lang="en">
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Configure LTI Advantage Settings for Moodle</title>
+        <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous">
+      </head>
+      <body class="container mt-4">
+        <form method="POST" action="${completeAction}">
+          <div class="mb-3">
+            <label class="form-label">Available Services</label>
+            ${hasAGS
+        ? `
+                  <div class="form-check">
+                    <input class="form-check-input" type="checkbox" name="services" value="ags" id="ags" checked>
+                    <label class="form-check-label" for="ags">
+                      <strong>Assignment and Grade Services (AGS)</strong>
+                      <small class="text-muted d-block">Enables automatic grade passback from this tool to your gradebook</small>
+                    </label>
+                    <div class="mt-2 ms-4">
+                      <small class="text-muted">OAuth Scopes that will be requested:</small>
+                      <pre class="bg-light p-2 mt-1 small border rounded">${agsScopes.map((scope) => scope.replace('https://purl.imsglobal.org/spec/lti-ags/scope/', '')).join('\n')}</pre>
+                    </div>
+                  </div>
+            `
+        : ''}
+            
+            ${hasNRPS
+        ? `
+              <div class="form-check">
+                <input class="form-check-input" type="checkbox" name="services" value="nrps" id="nrps" checked>
+                <label class="form-check-label" for="nrps">Names and Role Provisioning Services (NRPS)</label>
+              </div>
+            `
+        : ''}
+            
+            ${hasDeepLinking
+        ? `
+              <div class="form-check">
+                <input class="form-check-input" type="checkbox" name="services" value="deep_linking" id="deep_linking" checked>
+                <label class="form-check-label" for="deep_linking">Deep Linking</label>
+              </div>
+            `
+        : ''}
+          </div>
+          <div class="mb-3">
+            <label class="form-label">Required Privacy Settings</label>
+            <div class="alert alert-info">
+              <small>These privacy settings must be enabled in your LMS for this tool to function properly.</small>
+            </div>
+            
+            <div class="form-check">
+              <input class="form-check-input" type="checkbox" id="share_name" checked disabled>
+              <label class="form-check-label" for="share_name">
+                Share launcher's name
+                <small class="text-muted d-block">Required for user identification</small>
+              </label>
+            </div>
+            
+            <div class="form-check">
+              <input class="form-check-input" type="checkbox" id="share_email" checked disabled>
+              <label class="form-check-label" for="share_email">
+                Share launcher's email
+                <small class="text-muted d-block">Required for user communication</small>
+              </label>
+            </div>
+          </div>
+
+          <input type="hidden" name="sessionToken" value="${sessionToken}">
+
+          <button type="submit" class="btn btn-primary">Register Tool</button>
+        </form>
+        <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/js/bootstrap.bundle.min.js" integrity="sha384-FKyoEForCGlyvwx9Hj09JcYn3nv7wiPVlz7YYwJrWVcXK/BmnVDxM+D2scQbITxI" crossorigin="anonymous"></script>
+      </body>
+    </html>`;
+}
+/**
+ * Submits tool registration payload to Moodle's dynamic registration endpoint.
+ * Handles the HTTP communication with proper authentication, error handling, and response validation.
+ * Validates the registration response against the LTI 1.3 specification schema.
+ *
+ * @param registrationEndpoint - Platform's registration endpoint URL from OpenID configuration
+ * @param registrationPayload - Complete tool registration payload with OAuth and LTI configuration
+ * @param logger - Pino logger instance for request/response logging and error tracking
+ * @param registrationToken - Optional bearer token for authenticated registration requests
+ * @returns Validated registration response containing client credentials and deployment information
+ * @throws {Error} When registration request fails or response validation fails
+ *
+ * @example
+ * ```typescript
+ * const response = await postRegistrationToMoodle(
+ *   'https://moodle.edu/mod/lti/register.php',
+ *   registrationPayload,
+ *   logger,
+ *   'optional-bearer-token'
+ * );
+ * console.log('Registered with client ID:', response.client_id);
+ * ```
+ */
+export async function postRegistrationToMoodle(registrationEndpoint, registrationPayload, logger, registrationToken) {
+    const headers = { 'Content-Type': 'application/json' };
+    if (registrationToken) {
+        headers['Authorization'] = `Bearer ${registrationToken}`;
+    }
+    const response = await fetch(registrationEndpoint, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify(registrationPayload),
+    });
+    if (!response.ok) {
+        const errorText = await response.json();
+        logger.error({ errorText }, 'lti dynamic registration error');
+        throw new Error(errorText);
+    }
+    const data = await response.json();
+    logger.debug({ data }, 'Registration response');
+    const validated = RegistrationResponseSchema.parse(data);
+    logger.debug({ validated }, 'Registration response validated');
+    return validated;
+}

package/dist/utils/ltiPlatformCapabilities.d.ts

@@ -0,0 +1,65 @@
+import type { OpenIDConfiguration } from '../schemas';
+/**
+ * Checks if an LTI platform supports Assignment and Grade Services (AGS).
+ * Examines the platform's OpenID configuration for AGS-related OAuth scopes.
+ *
+ * @param config - Platform's OpenID Connect configuration from discovery endpoint
+ * @returns True if the platform supports any AGS scopes, false otherwise
+ *
+ * @example
+ * ```typescript
+ * if (hasAGSSupport(platformConfig)) {
+ *   // Show AGS checkbox in registration form
+ *   // Enable grade passback functionality
+ * }
+ * ```
+ */
+export declare function hasAGSSupport(config: OpenIDConfiguration): boolean;
+/**
+ * Checks if an LTI platform supports Names and Role Provisioning Services (NRPS).
+ * Examines the platform's OpenID configuration for NRPS-related OAuth scopes.
+ *
+ * @param config - Platform's OpenID Connect configuration from discovery endpoint
+ * @returns True if the platform supports any NRPS scopes, false otherwise
+ *
+ * @example
+ * ```typescript
+ * if (hasNRPSSupport(platformConfig)) {
+ *   // Show NRPS checkbox in registration form
+ *   // Enable roster access functionality
+ * }
+ * ```
+ */
+export declare function hasNRPSSupport(config: OpenIDConfiguration): boolean;
+/**
+ * Checks if an LTI platform supports Deep Linking for content selection.
+ * Examines the platform's LTI configuration for supported message types.
+ *
+ * @param config - Platform's OpenID Connect configuration from discovery endpoint
+ * @returns True if the platform supports LtiDeepLinkingRequest messages, false otherwise
+ *
+ * @example
+ * ```typescript
+ * if (hasDeepLinkingSupport(platformConfig)) {
+ *   // Show Deep Linking checkbox in registration form
+ *   // Enable content selection functionality
+ * }
+ * ```
+ */
+export declare function hasDeepLinkingSupport(config: OpenIDConfiguration): boolean;
+/**
+ * Extracts all Assignment and Grade Services (AGS) scopes supported by the platform.
+ * Filters the platform's supported scopes to return only AGS-related scope URIs.
+ *
+ * @param config - Platform's OpenID Connect configuration from discovery endpoint
+ * @returns Array of AGS scope URIs supported by the platform (e.g., lineitem, score, result.readonly)
+ *
+ * @example
+ * ```typescript
+ * const agsScopes = getAGSScopes(platformConfig);
+ * // Returns: ['https://purl.imsglobal.org/spec/lti-ags/scope/lineitem', ...]
+ * console.log('Available AGS scopes:', agsScopes.join(', '));
+ * ```
+ */
+export declare function getAGSScopes(config: OpenIDConfiguration): string[];
+//# sourceMappingURL=ltiPlatformCapabilities.d.ts.map

package/dist/utils/ltiPlatformCapabilities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ltiPlatformCapabilities.d.ts","sourceRoot":"","sources":["../../src/utils/ltiPlatformCapabilities.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEtD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAIlE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAInE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAM1E;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,mBAAmB,GAAG,MAAM,EAAE,CAIlE"}

package/dist/utils/ltiPlatformCapabilities.js

@@ -0,0 +1,73 @@
+/**
+ * Checks if an LTI platform supports Assignment and Grade Services (AGS).
+ * Examines the platform's OpenID configuration for AGS-related OAuth scopes.
+ *
+ * @param config - Platform's OpenID Connect configuration from discovery endpoint
+ * @returns True if the platform supports any AGS scopes, false otherwise
+ *
+ * @example
+ * ```typescript
+ * if (hasAGSSupport(platformConfig)) {
+ *   // Show AGS checkbox in registration form
+ *   // Enable grade passback functionality
+ * }
+ * ```
+ */
+export function hasAGSSupport(config) {
+    return (config.scopes_supported?.some((scope) => scope.includes('lti-ags/scope')) ?? false);
+}
+/**
+ * Checks if an LTI platform supports Names and Role Provisioning Services (NRPS).
+ * Examines the platform's OpenID configuration for NRPS-related OAuth scopes.
+ *
+ * @param config - Platform's OpenID Connect configuration from discovery endpoint
+ * @returns True if the platform supports any NRPS scopes, false otherwise
+ *
+ * @example
+ * ```typescript
+ * if (hasNRPSSupport(platformConfig)) {
+ *   // Show NRPS checkbox in registration form
+ *   // Enable roster access functionality
+ * }
+ * ```
+ */
+export function hasNRPSSupport(config) {
+    return (config.scopes_supported?.some((scope) => scope.includes('lti-nrps/scope')) ?? false);
+}
+/**
+ * Checks if an LTI platform supports Deep Linking for content selection.
+ * Examines the platform's LTI configuration for supported message types.
+ *
+ * @param config - Platform's OpenID Connect configuration from discovery endpoint
+ * @returns True if the platform supports LtiDeepLinkingRequest messages, false otherwise
+ *
+ * @example
+ * ```typescript
+ * if (hasDeepLinkingSupport(platformConfig)) {
+ *   // Show Deep Linking checkbox in registration form
+ *   // Enable content selection functionality
+ * }
+ * ```
+ */
+export function hasDeepLinkingSupport(config) {
+    const ltiConfig = config['https://purl.imsglobal.org/spec/lti-platform-configuration'];
+    return (ltiConfig?.messages_supported?.some((msg) => msg.type === 'LtiDeepLinkingRequest') ??
+        false);
+}
+/**
+ * Extracts all Assignment and Grade Services (AGS) scopes supported by the platform.
+ * Filters the platform's supported scopes to return only AGS-related scope URIs.
+ *
+ * @param config - Platform's OpenID Connect configuration from discovery endpoint
+ * @returns Array of AGS scope URIs supported by the platform (e.g., lineitem, score, result.readonly)
+ *
+ * @example
+ * ```typescript
+ * const agsScopes = getAGSScopes(platformConfig);
+ * // Returns: ['https://purl.imsglobal.org/spec/lti-ags/scope/lineitem', ...]
+ * console.log('Available AGS scopes:', agsScopes.join(', '));
+ * ```
+ */
+export function getAGSScopes(config) {
+    return (config.scopes_supported?.filter((scope) => scope.includes('lti-ags/scope')) ?? []);
+}