@lti-tool/core 0.11.1 → 0.12.1

package/src/services/dynamicRegistration.service.ts

@@ -0,0 +1,406 @@
+import type { BaseLogger } from 'pino';
+
+import type { DynamicRegistrationConfig } from '../interfaces/ltiConfig.js';
+import type { LTIDynamicRegistrationSession } from '../interfaces/ltiDynamicRegistrationSession.js';
+import type { LTIStorage } from '../interfaces/ltiStorage.js';
+import type { DynamicRegistrationForm } from '../schemas/lti13/dynamicRegistration/ltiDynamicRegistration.schema.js';
+import type { LTIMessage } from '../schemas/lti13/dynamicRegistration/ltiMessages.schema.js';
+import {
+  type OpenIDConfiguration,
+  openIDConfigurationSchema,
+} from '../schemas/lti13/dynamicRegistration/openIDConfiguration.schema.js';
+import type { RegistrationRequest } from '../schemas/lti13/dynamicRegistration/registrationRequest.schema.js';
+import type { RegistrationResponse } from '../schemas/lti13/dynamicRegistration/registrationResponse.schema.js';
+import type { ToolRegistrationPayload } from '../schemas/lti13/dynamicRegistration/toolRegistrationPayload.schema.js';
+
+import {
+  handleMoodleDynamicRegistration,
+  postRegistrationToMoodle,
+} from './dynamicRegistrationHandlers/moodle.js';
+
+/**
+ * Service for handling LTI 1.3 dynamic registration workflows.
+ *
+ * Provides a complete implementation of the LTI 1.3 Dynamic Registration specification,
+ * enabling tools to automatically register with LTI platforms without manual configuration.
+ * Handles the full registration lifecycle from initiation to completion with security validation.
+ *
+ * ## Key Features
+ * - **Platform Discovery**: Fetches and validates OpenID Connect configuration from LTI platforms
+ * - **Security Validation**: Enforces hostname matching and session-based CSRF protection
+ * - **Vendor Support**: Provides platform-specific registration forms (Moodle, with extensibility for Canvas, Sakai, etc.)
+ * - **Service Selection**: Allows administrators to choose which LTI Advantage services to enable (AGS, NRPS, Deep Linking)
+ * - **Automatic Storage**: Persists client and deployment configurations for future launches
+ *
+ * ## Registration Flow
+ * 1. **Initiation**: Platform redirects to tool with registration request
+ * 2. **Discovery**: Tool fetches platform's OpenID Connect configuration
+ * 3. **Form Generation**: Tool presents service selection form to administrator
+ * 4. **Registration**: Tool submits registration payload to platform
+ * 5. **Storage**: Tool stores received client credentials and deployment information
+ *
+ * ## Security Features
+ * - Session-based registration with 15-minute expiration
+ * - CSRF protection via secure session tokens
+ * - Hostname validation between OIDC endpoint and issuer
+ * - One-time session consumption to prevent replay attacks
+ *
+ * @example
+ * ```typescript
+ * const service = new DynamicRegistrationService(
+ *   storage,
+ *   dynamicRegistrationConfig,
+ *   logger
+ * );
+ *
+ * // Initiate registration
+ * const formHtml = await service.initiateDynamicRegistration(request, '/lti/register');
+ *
+ * // Complete registration
+ * const successHtml = await service.completeDynamicRegistration(formData);
+ * ```
+ *
+ * @see https://www.imsglobal.org/spec/lti-dr/v1p0 LTI 1.3 Dynamic Registration specification
+ */
+export class DynamicRegistrationService {
+  constructor(
+    private storage: LTIStorage,
+    private dynamicRegistrationConfig: DynamicRegistrationConfig,
+    private logger: BaseLogger,
+  ) {}
+
+  /**
+   * Fetches and validates the OpenID Connect configuration from an LTI platform during dynamic registration.
+   * Validates that the OIDC endpoint and issuer have matching hostnames for security.
+   *
+   * @param registrationRequest - Registration request containing openid_configuration URL and optional registration_token
+   * @returns Validated OpenID configuration with platform endpoints and supported features
+   * @throws {Error} When the configuration fetch fails, validation fails, or hostname mismatch detected
+   */
+  async fetchPlatformConfiguration(
+    registrationRequest: RegistrationRequest,
+  ): Promise<OpenIDConfiguration> {
+    const { openid_configuration, registration_token } = registrationRequest;
+    const response = await fetch(openid_configuration, {
+      method: 'GET',
+      headers: {
+        // only include registration token if it was provided
+        ...(registration_token && { Authorization: `Bearer ${registration_token}` }),
+        Accept: 'application/json',
+      },
+    });
+
+    await this.validateDynamicRegistrationResponse(
+      response,
+      'validateRegistrationRequest',
+    );
+
+    const data = await response.json();
+    const openIdConfiguration = openIDConfigurationSchema.parse(data);
+    this.logger.debug({ openIdConfiguration });
+
+    // validate that the endpoint and issuer have the same hostname
+    const oidcEndpoint = new URL(openid_configuration);
+    const { issuer } = openIdConfiguration;
+    const issuerEndpoint = new URL(issuer);
+    if (oidcEndpoint.hostname !== issuerEndpoint.hostname) {
+      const errorMessage = `OIDC endpoint and issuer in OIDC payload do not match, cannot continue. OIDC endpoint: ${oidcEndpoint} issuer endpoint: ${issuerEndpoint}`;
+      this.logger.error(errorMessage);
+      throw new Error(errorMessage);
+    }
+
+    // good to continue!
+    return openIdConfiguration;
+  }
+
+  /**
+   * Initiates LTI 1.3 dynamic registration by fetching platform configuration and generating registration form.
+   * Creates a temporary session and returns vendor-specific HTML form for service selection.
+   *
+   * @param registrationRequest - Registration request containing openid_configuration URL and optional registration_token
+   * @param requestPath - Current request path used to build form action URLs
+   * @returns HTML form for service selection and registration completion
+   * @throws {Error} When platform configuration fetch fails or session creation fails
+   */
+  async initiateDynamicRegistration(
+    registrationRequest: RegistrationRequest,
+    requestPath: string,
+  ): Promise<string> {
+    // 1. Validate request
+    const openIdConfiguration =
+      await this.fetchPlatformConfiguration(registrationRequest);
+
+    // 2. generate and store session
+    const sessionToken = crypto.randomUUID();
+    await this.storage.setRegistrationSession(sessionToken, {
+      openIdConfiguration,
+      registrationToken: registrationRequest.registration_token,
+      expiresAt: Date.now() + 15 * 60 * 1000, // 15 minutes
+    });
+
+    // 3. build form based on LMS vendor
+    const { product_family_code } =
+      openIdConfiguration['https://purl.imsglobal.org/spec/lti-platform-configuration'];
+
+    let html: string;
+    switch (product_family_code.toLowerCase()) {
+      case 'moodle':
+        html = handleMoodleDynamicRegistration(
+          openIdConfiguration,
+          requestPath,
+          sessionToken,
+        );
+        break;
+      default:
+        html = handleMoodleDynamicRegistration(
+          openIdConfiguration,
+          requestPath,
+          sessionToken,
+        );
+        break;
+    }
+
+    return html;
+  }
+
+  /**
+   * Completes LTI 1.3 dynamic registration by processing form submission and storing client configuration.
+   * Validates session, registers with platform, stores client/deployment data, and returns success page.
+   *
+   * @param dynamicRegistrationForm - Validated form data containing selected services and session token
+   * @returns HTML success page with registration details and close button
+   * @throws {Error} When session is invalid, registration fails, or storage operations fail
+   */
+  async completeDynamicRegistration(
+    dynamicRegistrationForm: DynamicRegistrationForm,
+  ): Promise<string> {
+    // 1. Verify session token
+    const session = await this.verifyRegistrationSession(
+      dynamicRegistrationForm.sessionToken,
+    );
+    if (!session) {
+      throw new Error('Invalid or expired session');
+    }
+
+    // 1. build payload
+    const toolRegistrationPayload = this.buildRegistrationPayload(
+      dynamicRegistrationForm.services ?? [],
+    );
+
+    // 2. Post request to Moodle
+    const registrationResponse = await postRegistrationToMoodle(
+      session.openIdConfiguration.registration_endpoint,
+      toolRegistrationPayload,
+      this.logger,
+      session.registrationToken,
+    );
+
+    // 3. save to storage
+    const clientId = await this.storage.addClient({
+      name: registrationResponse.client_name,
+      clientId: registrationResponse.client_id,
+      iss: session.openIdConfiguration.issuer,
+      jwksUrl: session.openIdConfiguration.jwks_uri,
+      authUrl: session.openIdConfiguration.authorization_endpoint,
+      tokenUrl: session.openIdConfiguration.token_endpoint,
+    });
+
+    const ltiToolConfig =
+      registrationResponse['https://purl.imsglobal.org/spec/lti-tool-configuration'];
+    if (ltiToolConfig.deployment_id) {
+      await this.storage.addDeployment(clientId, {
+        deploymentId: ltiToolConfig.deployment_id,
+        name: 'Default Deployment via dynamic registration provided deployment id',
+      });
+    } else {
+      // platform doesn't use a deployment id (canvas for example) - create default
+      await this.storage.addDeployment(clientId, {
+        deploymentId: 'default',
+        name: 'Default Deployment (Canvas-style)',
+      });
+    }
+
+    // 4. return success
+    const successHtml = this.getRegistrationSuccessHtml(registrationResponse);
+    return successHtml;
+  }
+
+  /**
+   * Verifies and consumes a registration session token for security validation.
+   * Retrieves the session data and immediately deletes it to prevent replay attacks.
+   *
+   * @param sessionToken - UUID session token from the registration form
+   * @returns Session data if valid and not expired, undefined otherwise
+   */
+  async verifyRegistrationSession(
+    sessionToken: string,
+  ): Promise<LTIDynamicRegistrationSession | undefined> {
+    const session = await this.storage.getRegistrationSession(sessionToken);
+    if (session) {
+      await this.storage.deleteRegistrationSession(sessionToken);
+    }
+    return session;
+  }
+
+  /**
+   * Builds array of LTI message types based on selected services during registration.
+   * Always includes ResourceLinkRequest, conditionally adds DeepLinkingRequest.
+   *
+   * @param selectedServices - Array of service names selected by administrator
+   * @param deepLinkingUri - URI where deep linking requests should be sent
+   * @returns Array of LTI message configurations for the registration payload
+   */
+  private buildMessages(
+    selectedServices: string[],
+    deepLinkingUri: string,
+  ): LTIMessage[] {
+    const messages = [];
+    messages.push({ type: 'LtiResourceLinkRequest' as const });
+
+    if (selectedServices?.includes('deep_linking')) {
+      messages.push({
+        type: 'LtiDeepLinkingRequest' as const,
+        target_link_uri: deepLinkingUri,
+        label: 'Content Selection',
+        placements: ['ContentArea' as const], // Focus on content area only
+        supported_types: ['ltiResourceLink' as const], // Standard content selection
+      });
+    }
+
+    return messages;
+  }
+
+  /**
+   * Builds array of OAuth scopes based on selected LTI services during registration.
+   * Maps service selections to their corresponding LTI Advantage scope URIs.
+   *
+   * @param selectedServices - Array of service names selected by administrator ('ags', 'nrps', etc.)
+   * @returns Array of OAuth scope URIs to request from the platform
+   */
+  private buildScopes(selectedServices: string[]): string[] {
+    const scopes = [];
+
+    if (selectedServices?.includes('ags')) {
+      scopes.push(
+        'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem',
+        'https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly',
+        'https://purl.imsglobal.org/spec/lti-ags/scope/score',
+      );
+    }
+
+    if (selectedServices?.includes('nrps')) {
+      scopes.push(
+        'https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly',
+      );
+    }
+
+    return scopes;
+  }
+
+  /**
+   * Constructs the complete tool registration payload for platform submission.
+   * Combines tool configuration, selected services, and OAuth parameters into LTI 1.3 registration format.
+   *
+   * @param selectedServices - Array of service names selected by administrator
+   * @returns Complete registration payload ready for platform submission
+   */
+  private buildRegistrationPayload(selectedServices: string[]): ToolRegistrationPayload {
+    const config = this.dynamicRegistrationConfig;
+
+    const deepLinkingUri = config.deepLinkingUri || `${config.url}/lti/deep-linking`;
+    const jwksUri = config.jwksUri || `${config.url}/lti/jwks`;
+    const launchUri = config.launchUri || `${config.url}/lti/launch`;
+    const loginUri = config.loginUri || `${config.url}/lti/login`;
+
+    const messages = this.buildMessages(selectedServices, deepLinkingUri);
+    const scopes = this.buildScopes(selectedServices);
+
+    const toolRegistrationPayload: ToolRegistrationPayload = {
+      application_type: 'web',
+      response_types: ['id_token'],
+      grant_types: ['implicit', 'client_credentials'],
+      initiate_login_uri: loginUri,
+      redirect_uris: [config.url, launchUri, ...(config.redirectUris || [])],
+      client_name: config.name,
+      jwks_uri: jwksUri,
+      logo_uri: config.logo,
+      scope: scopes.join(' '),
+      token_endpoint_auth_method: 'private_key_jwt',
+      'https://purl.imsglobal.org/spec/lti-tool-configuration': {
+        domain: new URL(config.url).hostname,
+        description: config.description,
+        target_link_uri: config.url,
+        claims: ['iss', 'sub', 'name', 'email'],
+        messages,
+      },
+    };
+
+    return toolRegistrationPayload;
+  }
+
+  private async validateDynamicRegistrationResponse(
+    response: Response,
+    operation: string,
+  ): Promise<void> {
+    if (!response.ok) {
+      const error = await response.json();
+      this.logger.error(
+        { error, status: response.status, statusText: response.statusText },
+        `Dynamic Registration ${operation} failed`,
+      );
+      throw new Error(
+        `Dynamic Registration ${operation} failed: ${response.statusText} ${error}`,
+      );
+    }
+  }
+
+  private getRegistrationSuccessHtml(registrationResponse: RegistrationResponse): string {
+    return `
+  <!doctype html>
+  <html lang="en">
+    <head>
+      <meta charset="utf-8">
+      <meta name="viewport" content="width=device-width, initial-scale=1">
+      <title>Registration Complete</title>
+      <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous">
+    </head>
+    <body class="container mt-4">
+      <div class="alert alert-success" role="alert">
+        <h4 class="alert-heading">Registration Successful!</h4>
+        <p>Your LTI tool has been successfully registered with the platform.</p>
+        <hr>
+        <p class="mb-0">You can now close this window and return to your LMS.</p>
+      </div>
+      
+      <div class="card">
+        <div class="card-header">
+          <h5 class="card-title mb-0">Registration Details</h5>
+        </div>
+        <div class="card-body">
+          <dl class="row">
+            <dt class="col-sm-3">Tool Name:</dt>
+            <dd class="col-sm-9">${registrationResponse.client_name}</dd>
+            <dt class="col-sm-3">Client ID:</dt>
+            <dd class="col-sm-9"><code>${registrationResponse.client_id}</code></dd>
+            <dt class="col-sm-3">Deployment ID:</dt>
+            <dd class="col-sm-9"><code>${registrationResponse['https://purl.imsglobal.org/spec/lti-tool-configuration'].deployment_id || 'default'}</code></dd>
+          </dl>
+        </div>
+      </div>
+      
+      <div class="mt-4 text-center">
+        <button type="button" class="btn btn-primary btn-lg" onclick="closeWindow()">
+          Close Window
+        </button>
+      </div>
+      
+      <script>
+        function closeWindow() {
+          (window.opener || window.parent).postMessage({subject:'org.imsglobal.lti.close'}, '*');
+        }
+      </script>
+      <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/js/bootstrap.bundle.min.js" integrity="sha384-FKyoEForCGlyvwx9Hj09JcYn3nv7wiPVlz7YYwJrWVcXK/BmnVDxM+D2scQbITxI" crossorigin="anonymous"></script>
+    </body>
+  </html>`;
+  }
+}

package/src/services/dynamicRegistrationHandlers/moodle.ts

@@ -0,0 +1,184 @@
+import type { BaseLogger } from 'pino';
+
+import {
+  RegistrationResponseSchema,
+  type OpenIDConfiguration,
+  type RegistrationResponse,
+} from '../../schemas';
+import {
+  getAGSScopes,
+  hasAGSSupport,
+  hasDeepLinkingSupport,
+  hasNRPSSupport,
+} from '../../utils/ltiPlatformCapabilities';
+
+/**
+ * Generates Moodle-specific dynamic registration form HTML with service selection options.
+ * Creates a Bootstrap 5 form that detects available LTI Advantage services from the platform
+ * configuration and presents them as selectable checkboxes to the administrator.
+ *
+ * @param openIdConfiguration - Platform's OpenID Connect configuration containing supported services
+ * @param currentPath - Current request path used to build the form submission URL
+ * @param sessionToken - Security token for CSRF protection and session validation
+ * @returns Complete HTML page with Bootstrap form for service selection
+ *
+ * @example
+ * ```typescript
+ * const html = handleMoodleDynamicRegistration(
+ *   platformConfig,
+ *   '/lti/register',
+ *   'uuid-session-token'
+ * );
+ * // Returns HTML form with AGS, NRPS, and Deep Linking options if supported
+ * ```
+ */
+// oxlint-disable-next-line max-lines-per-function
+export function handleMoodleDynamicRegistration(
+  openIdConfiguration: OpenIDConfiguration,
+  currentPath: string,
+  sessionToken: string,
+): string {
+  const hasAGS = hasAGSSupport(openIdConfiguration);
+  const hasNRPS = hasNRPSSupport(openIdConfiguration);
+  const hasDeepLinking = hasDeepLinkingSupport(openIdConfiguration);
+  const agsScopes = getAGSScopes(openIdConfiguration);
+  // Build complete action from current path
+  const completeAction = `${currentPath}/complete`;
+
+  return `
+    <!doctype html>
+    <html lang="en">
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Configure LTI Advantage Settings for Moodle</title>
+        <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous">
+      </head>
+      <body class="container mt-4">
+        <form method="POST" action="${completeAction}">
+          <div class="mb-3">
+            <label class="form-label">Available Services</label>
+            ${
+              hasAGS
+                ? `
+                  <div class="form-check">
+                    <input class="form-check-input" type="checkbox" name="services" value="ags" id="ags" checked>
+                    <label class="form-check-label" for="ags">
+                      <strong>Assignment and Grade Services (AGS)</strong>
+                      <small class="text-muted d-block">Enables automatic grade passback from this tool to your gradebook</small>
+                    </label>
+                    <div class="mt-2 ms-4">
+                      <small class="text-muted">OAuth Scopes that will be requested:</small>
+                      <pre class="bg-light p-2 mt-1 small border rounded">${agsScopes.map((scope) => scope.replace('https://purl.imsglobal.org/spec/lti-ags/scope/', '')).join('\n')}</pre>
+                    </div>
+                  </div>
+            `
+                : ''
+            }
+            
+            ${
+              hasNRPS
+                ? `
+              <div class="form-check">
+                <input class="form-check-input" type="checkbox" name="services" value="nrps" id="nrps" checked>
+                <label class="form-check-label" for="nrps">Names and Role Provisioning Services (NRPS)</label>
+              </div>
+            `
+                : ''
+            }
+            
+            ${
+              hasDeepLinking
+                ? `
+              <div class="form-check">
+                <input class="form-check-input" type="checkbox" name="services" value="deep_linking" id="deep_linking" checked>
+                <label class="form-check-label" for="deep_linking">Deep Linking</label>
+              </div>
+            `
+                : ''
+            }
+          </div>
+          <div class="mb-3">
+            <label class="form-label">Required Privacy Settings</label>
+            <div class="alert alert-info">
+              <small>These privacy settings must be enabled in your LMS for this tool to function properly.</small>
+            </div>
+            
+            <div class="form-check">
+              <input class="form-check-input" type="checkbox" id="share_name" checked disabled>
+              <label class="form-check-label" for="share_name">
+                Share launcher's name
+                <small class="text-muted d-block">Required for user identification</small>
+              </label>
+            </div>
+            
+            <div class="form-check">
+              <input class="form-check-input" type="checkbox" id="share_email" checked disabled>
+              <label class="form-check-label" for="share_email">
+                Share launcher's email
+                <small class="text-muted d-block">Required for user communication</small>
+              </label>
+            </div>
+          </div>
+
+          <input type="hidden" name="sessionToken" value="${sessionToken}">
+
+          <button type="submit" class="btn btn-primary">Register Tool</button>
+        </form>
+        <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/js/bootstrap.bundle.min.js" integrity="sha384-FKyoEForCGlyvwx9Hj09JcYn3nv7wiPVlz7YYwJrWVcXK/BmnVDxM+D2scQbITxI" crossorigin="anonymous"></script>
+      </body>
+    </html>`;
+}
+
+/**
+ * Submits tool registration payload to Moodle's dynamic registration endpoint.
+ * Handles the HTTP communication with proper authentication, error handling, and response validation.
+ * Validates the registration response against the LTI 1.3 specification schema.
+ *
+ * @param registrationEndpoint - Platform's registration endpoint URL from OpenID configuration
+ * @param registrationPayload - Complete tool registration payload with OAuth and LTI configuration
+ * @param logger - Pino logger instance for request/response logging and error tracking
+ * @param registrationToken - Optional bearer token for authenticated registration requests
+ * @returns Validated registration response containing client credentials and deployment information
+ * @throws {Error} When registration request fails or response validation fails
+ *
+ * @example
+ * ```typescript
+ * const response = await postRegistrationToMoodle(
+ *   'https://moodle.edu/mod/lti/register.php',
+ *   registrationPayload,
+ *   logger,
+ *   'optional-bearer-token'
+ * );
+ * console.log('Registered with client ID:', response.client_id);
+ * ```
+ */
+export async function postRegistrationToMoodle(
+  registrationEndpoint: string,
+  registrationPayload: unknown,
+  logger: BaseLogger,
+  registrationToken?: string,
+): Promise<RegistrationResponse> {
+  const headers: Record<string, string> = { 'Content-Type': 'application/json' };
+  if (registrationToken) {
+    headers['Authorization'] = `Bearer ${registrationToken}`;
+  }
+
+  const response = await fetch(registrationEndpoint, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify(registrationPayload),
+  });
+
+  if (!response.ok) {
+    const errorText = await response.json();
+    logger.error({ errorText }, 'lti dynamic registration error');
+    throw new Error(errorText);
+  }
+
+  const data = await response.json();
+  logger.debug({ data }, 'Registration response');
+  const validated = RegistrationResponseSchema.parse(data);
+  logger.debug({ validated }, 'Registration response validated');
+  return validated;
+}

package/src/utils/ltiPlatformCapabilities.ts

@@ -0,0 +1,86 @@
+import type { OpenIDConfiguration } from '../schemas';
+
+/**
+ * Checks if an LTI platform supports Assignment and Grade Services (AGS).
+ * Examines the platform's OpenID configuration for AGS-related OAuth scopes.
+ *
+ * @param config - Platform's OpenID Connect configuration from discovery endpoint
+ * @returns True if the platform supports any AGS scopes, false otherwise
+ *
+ * @example
+ * ```typescript
+ * if (hasAGSSupport(platformConfig)) {
+ *   // Show AGS checkbox in registration form
+ *   // Enable grade passback functionality
+ * }
+ * ```
+ */
+export function hasAGSSupport(config: OpenIDConfiguration): boolean {
+  return (
+    config.scopes_supported?.some((scope) => scope.includes('lti-ags/scope')) ?? false
+  );
+}
+
+/**
+ * Checks if an LTI platform supports Names and Role Provisioning Services (NRPS).
+ * Examines the platform's OpenID configuration for NRPS-related OAuth scopes.
+ *
+ * @param config - Platform's OpenID Connect configuration from discovery endpoint
+ * @returns True if the platform supports any NRPS scopes, false otherwise
+ *
+ * @example
+ * ```typescript
+ * if (hasNRPSSupport(platformConfig)) {
+ *   // Show NRPS checkbox in registration form
+ *   // Enable roster access functionality
+ * }
+ * ```
+ */
+export function hasNRPSSupport(config: OpenIDConfiguration): boolean {
+  return (
+    config.scopes_supported?.some((scope) => scope.includes('lti-nrps/scope')) ?? false
+  );
+}
+
+/**
+ * Checks if an LTI platform supports Deep Linking for content selection.
+ * Examines the platform's LTI configuration for supported message types.
+ *
+ * @param config - Platform's OpenID Connect configuration from discovery endpoint
+ * @returns True if the platform supports LtiDeepLinkingRequest messages, false otherwise
+ *
+ * @example
+ * ```typescript
+ * if (hasDeepLinkingSupport(platformConfig)) {
+ *   // Show Deep Linking checkbox in registration form
+ *   // Enable content selection functionality
+ * }
+ * ```
+ */
+export function hasDeepLinkingSupport(config: OpenIDConfiguration): boolean {
+  const ltiConfig = config['https://purl.imsglobal.org/spec/lti-platform-configuration'];
+  return (
+    ltiConfig?.messages_supported?.some((msg) => msg.type === 'LtiDeepLinkingRequest') ??
+    false
+  );
+}
+
+/**
+ * Extracts all Assignment and Grade Services (AGS) scopes supported by the platform.
+ * Filters the platform's supported scopes to return only AGS-related scope URIs.
+ *
+ * @param config - Platform's OpenID Connect configuration from discovery endpoint
+ * @returns Array of AGS scope URIs supported by the platform (e.g., lineitem, score, result.readonly)
+ *
+ * @example
+ * ```typescript
+ * const agsScopes = getAGSScopes(platformConfig);
+ * // Returns: ['https://purl.imsglobal.org/spec/lti-ags/scope/lineitem', ...]
+ * console.log('Available AGS scopes:', agsScopes.join(', '));
+ * ```
+ */
+export function getAGSScopes(config: OpenIDConfiguration): string[] {
+  return (
+    config.scopes_supported?.filter((scope) => scope.includes('lti-ags/scope')) ?? []
+  );
+}