### Example GET Request for Service Description Document (SDD) Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 This snippet shows an example HTTP GET request to obtain the Service Description Document (SDD) from a Provider's discovery endpoint. It specifies the host and the desired content type. Access to this endpoint should not be protected and must use HTTPS. ```http GET /ims/clr/v1p0/discovery HTTP/1.1 Host: provider.example.com Accept: application/json ``` -------------------------------- ### Example HTTP POST Authorization Request Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 This example demonstrates the structure of an HTTP POST request to an authorization server's token endpoint. It includes the host, content type, and the necessary form-urlencoded parameters for client authentication with a JWT. ```http POST /lti/auth/token HTTP/1.1 Host: www.example.com Content-Type: application/x-www-form-urlencoded grant_type=client_credentials&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 .eyJpc3MiOiJ0b29sLmNvbSIsInN1YiI6Ind3dy5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vd3d3LmV4YW1wbGUuY29tL2x0aS9hdXRoL3R va2VuIiwiaWF0IjoiMTQ4NTkwNzIwMCIsImV4cCI6IjE0ODU5MDc1MDAiLCJqdGkiOiIyOWY5MGMwNDdhNDRiMmVjZTczZDAwYTA5MzY0ZDQ5YiJ9 .liArqLDIF-xGcCu8ythy0HlzntxwZ90AYTnwH-daCQQ &scope=http%3A%2F%2Fimsglobal.org%2Fspec%2Flti-ags%2Fscope%2Flineitem%20http%3A%2F%2Fimsglobal.org%2Fspec%2Flti-ags%2Fscope%2Fresult%2Fread ``` -------------------------------- ### Example Client Registration POST Request Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 An example HTTP POST request to a client registration endpoint. It demonstrates the required 'Content-Type', 'Accept', and 'Host' headers, along with an 'Authorization' header containing a Bearer Token. The request body is a JSON object specifying various client configuration parameters. ```http POST /connect/register HTTP/1.1 Content-Type: application/json Accept: application/json Host: server.example.com Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJ . { "application_type": "web", "response_types": ["id_token"], "grant_types": ["implicit", "client_credentials"], "initiate_login_uri": "https://client.example.org/lti", "redirect_uris": ["https://client.example.org/callback", "https://client.example.org/callback2"], "client_name": "Virtual Garden", "client_name#ja": "バーチャルガーデン", "jwks_uri": "https://client.example.org/.well-known/jwks.json", "logo_uri": "https://client.example.org/logo.png" } ``` -------------------------------- ### Example JWT Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 This is an example of a complete JWT, formed by base64 encoding the header, payload, and signature, and concatenating them with periods. Line breaks are added for clarity. ```text eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 .eyJpc3MiOiJ0b29sLmNvbSIsInN1YiI6Ind3dy5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vd3d3LmV4YW1wbGUuY29tL2x0aS9hdXRoL3Rva2VuIiwiaWF0IjoiMTQ4NTkwNzIwMCIsImV4cCI6IjE0ODU5MDc1MDAiLCJqdGkiOiIyOWY5MGMwNDdhNDRiMmVjZTczZDAwYTA5MzY0ZDQ5YiJ9 .liArqLDIF-xGcCu8ythy0HlzntxwZ90AYTnwH-daCQQ ``` -------------------------------- ### GET /resources Source: https://www.imsglobal.org/spec/security/latest/index Retrieves a list of all resources. Supports pagination and filtering. ```APIDOC ## GET /resources ### Description Retrieves a list of all resources. Supports pagination and filtering. ### Method GET ### Endpoint /resources ### Parameters #### Query Parameters - **limit** (integer) - Optional - Specifies the maximum number of resources to return. Defaults to 100. Minimum value is 1. ### Request Example (No request body for GET requests) ### Response #### Success Response (200) - **imsx_StatusInfo** (object) - Contains status information about the request. - **imsx_codeMajor** (string) - Enum: ["success", "processing", "failure", "unsupported"] - The major status code. - **imsx_severity** (string) - Enum: ["status", "warning", "error"] - The severity level of the status. - **imsx_description** (string) - A description of the status. - **imsx_CodeMinor** (object) - Optional - Detailed minor error codes. - **imsx_codeMinorField** (array) - Array of minor code fields. - **imsx_codeMinorFieldName** (string) - Enum: ["TargetEndSystem", "fullsuccess", "invalid_filter_field", "invalid_selection_field", "forbidden", "unauthorisedrequest", "internal_server_error", "server_busy", "unknownobject", "invaliddata"] - The name of the minor code field. - **imsx_codeMinorFieldValue** (string) - The value of the minor code field. - **resource** (object) - Contains the resource data. #### Response Example ```json { "imsx_StatusInfo": { "imsx_codeMajor": "success", "imsx_severity": "status", "imsx_description": "Request successful." }, "resource": { "id": "resource123", "title": "Sample Resource", "type": "document" } } ``` ``` -------------------------------- ### GET /resources Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 Retrieves a list of all resources. Supports pagination via limit and offset query parameters. ```APIDOC ## GET /resources ### Description Retrieves a paginated list of resources. You can control the number of results returned and the starting point of the results using the `limit` and `offset` query parameters. ### Method GET ### Endpoint /resources ### Parameters #### Query Parameters - **limit** (integer) - Optional - The maximum number of resources to return. Defaults to 100. Minimum value is 1. - **offset** (integer) - Optional - The number of resources to skip before starting to collect the result set. Defaults to 0. ### Request Example ``` GET /resources?limit=50&offset=100 ``` ### Response #### Success Response (200) - **imsx_ResourceListType** (object) - Contains a list of resources and pagination information. - **resources** (array) - An array of resource objects. - **imsx_Paging** (object) - Pagination details. - **next** (string) - URL for the next page of results. - **previous** (string) - URL for the previous page of results. - **self** (string) - URL for the current page of results. #### Response Example ```json { "resources": [ { "id": "resource-123", "title": "Sample Resource", "type": "document" } ], "imsx_Paging": { "next": "/resources?limit=50&offset=150", "previous": "/resources?limit=50&offset=50", "self": "/resources?limit=50&offset=100" } } ``` #### Error Responses - **400 Bad Request**: Invalid input parameters. - **401 Unauthorized**: Authentication credentials missing or invalid. - **403 Forbidden**: Insufficient permissions to access the resource. - **404 Not Found**: The requested resource could not be found. - **422 Unprocessable Entity**: The request is valid but could not be processed. - **429 Too Many Requests**: Rate limit exceeded. - **500 Internal Server Error**: An unexpected error occurred on the server. ``` -------------------------------- ### GET /resources Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 Retrieves a list of all resources. This endpoint supports pagination and filtering. ```APIDOC ## GET /resources ### Description Retrieves a list of all resources. This endpoint supports pagination and filtering. ### Method GET ### Endpoint /resources ### Parameters #### Query Parameters - **limit** (integer) - Optional - The maximum number of resources to return. Defaults to 100. Minimum value is 1. ### Request Example ``` GET /resources?limit=50 ``` ### Response #### Success Response (200) - **resources** (array) - A list of resource objects. - **meta** (object) - Metadata about the response, including IMSX status information. #### Response Example ```json { "resources": [ { "sourcedId": "87de09b4-79c5-4c7d-8b06-01728860f03e", "identifier": "resource.123", "title": "Example Resource Title", "resourceType": "book", "url": "https://example.com/resource/123" } ], "meta": { "imsx_statusInfo": { "imsx_codeMajor": "success", "imsx_severity": "status" } } } ``` ``` -------------------------------- ### OAuth 2.0 Authorization Code Grant Request Example Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 Example of an HTTP GET request to obtain an authorization code using the OAuth 2.0 Authorization Code Grant flow. This request includes required parameters such as 'response_type', 'client_id', 'state', 'scope', 'code_challenge', 'code_challenge_method', and 'redirect_uri'. All exchanges must use TLS. ```http GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyzjklabc&scope=scopename1&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM &code_challange_method=S256&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com ``` -------------------------------- ### Registration Initiation Request (Step 1) Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 Details the query parameters required when a platform initiates the dynamic client registration flow by redirecting the user agent to the Tool's initiation registration URL. ```APIDOC ## Registration Initiation Request (Step 1) ### Description This request is initiated by the Platform to trigger the dynamic client registration flow. It involves a User Agent redirect to the Tool's initiation registration URL with specific query parameters. ### Method GET (Implicit via User Agent redirect) ### Endpoint [Initiation Registration URL - Out-of-band] ### Query Parameters - **openid_configuration** (_REQUIRED_): The endpoint for the OpenID configuration, encoded as per RFC 3986 Section 3.4. - **registration_token** (_OPTIONAL_): An access token to be used by the Tool when making the registration request to the Platform's registration endpoint. - **Requirements for `registration_token`**: - Short-lived (e.g., 1 hour). - Usable only once. ``` -------------------------------- ### Client Registration Request (HTTP) Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 An example of an HTTP POST request for client registration. This request includes various client metadata such as name, URIs, software identifiers, and supported grant/response types. It's important to note that parameters like `client_uri`, `logo_uri`, `tos_uri`, and `policy_uri` could be vulnerable to server-side request forgery. ```http POST https://clrauth.azurewebsites.net/connect/register HTTP/1.1 Accept: application/json Content-Type: application/json; charset=utf-8 { "client_name": "Example Consumer", "client_uri": "https://consumer.example.com/", "logo_uri": "https://consumer.example.com/logo.png", "tos_uri": "https://consumer.example.com/terms", "policy_uri": "https://consumer.example.com/privacy", "software_id": "c88b6ed8-269e-448e-99be-7e2ff47167d1", "software_version": "v4.0.30319", "redirect_uris": [ "https://consumer.example.com/Authorize" ], "token_endpoint_auth_method": "client_secret_basic", "grant_types": [ "authorization_code", "refresh_token" ], "response_types": [ "code" ], "scope": "https://purl.imsglobal.org/spec/clr/v1p0/scope/delete https://purl.imsglobal.org/spec/clr/v1p0/scope/readonly https://purl.imsglobal.org/spec/clr/v1p0/scope/replace" } ``` -------------------------------- ### Including Access Token in Service Request (HTTP GET) Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 This example illustrates how to include a bearer-type OAuth 2.0 access token in the `Authorization` header of a resource retrieval request. This is the standard method for authenticating with protected web services after obtaining a valid access token. ```http GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA ``` -------------------------------- ### Registration Initiation Request Source: https://www.imsglobal.org/spec/security/latest/index Details the query parameters required when a platform initiates the dynamic client registration flow via a User Agent redirect. ```APIDOC ## POST /initiate-registration ### Description This endpoint is used by the Platform to initiate the dynamic client registration flow. It involves a User Agent redirect to the initiation registration URL with specific query parameters. ### Method GET (Initiation Launch - User Agent Redirect) ### Endpoint `[initiation_registration_url]` ### Parameters #### Query Parameters - **openid_configuration** (string) - REQUIRED - The endpoint for the OpenID configuration, encoded as per [RFC3986] Section 3.4. - **registration_token** (string) - OPTIONAL - A short-lived, single-use access token to be used by the Tool when making the actual registration request to the Platform's registration endpoint. ### Request Example ``` https://platform.example.com/initiate?openid_configuration=https%3A%2F%2Ftool.example.com%2F.well-known%2Fopenid-configuration®istration_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... ``` ### Response N/A (This is a redirect, not a direct API response) ``` -------------------------------- ### JWT JOSE Header Example Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 This example shows the JOSE (JSON Object Signing and Encryption) header for a JWT. It specifies the token type as JWT and the signing algorithm, such as RS256. ```json { "typ" : "JWT", "alg" : "RS256" } ``` -------------------------------- ### POST /connect/register Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 Register a tool with the platform by sending an HTTP POST request with the tool's configuration in JSON format. ```APIDOC ## POST /connect/register ### Description Register a tool with the platform by sending an HTTP POST request with the tool's configuration in JSON format. The content type must be `application/json`. If provided by the platform, the tool must include the token as Bearer Token in the Authorization http header. ### Method POST ### Endpoint /connect/register ### Parameters #### Request Body - **request_object_encryption_alg** (string) - Optional - JWE `alg` algorithm the Tool is declaring that it may use for encrypting Request Objects sent to the Platform. - **request_object_encryption_enc** (string) - Optional - JWE `enc` algorithm the Tool is declaring that it may use for encrypting Request Objects sent to the Platform. If `request_object_encryption_alg` is specified, the default for this value is `A128CBC-HS256`. When `request_object_encryption_enc` is included, `request_object_encryption_alg` _MUST_ also be provided. - **token_endpoint_auth_signing_alg** (string) - Optional - JWS `alg` algorithm that _MUST_ be used for signing the JWT used to authenticate the Client at the Token Endpoint for the `private_key_jwt` and `client_secret_jwt` authentication methods. - **default_max_age** (integer) - Optional - Default Maximum Authentication Age. Specifies that the End-User _MUST_ be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. - **require_auth_time** (boolean) - Optional - Boolean value specifying whether the auth_time Claim in the ID Token is _REQUIRED_. Defaults to `false`. - **default_acr_values** (array of strings) - Optional - Default requested Authentication Context Class Reference values. Array of strings that specifies the default `acr` values that the Platform is being requested to use for processing requests from this Tool, with the values appearing in order of preference. - **initiate_login_uri** (string) - Optional - URI using the `https` scheme that a third party can use to initiate a login by the Tool. - **request_uris** (array of strings) - Optional - The `request_uri` values that are pre-registered by the Tool for use at the Platform. - **application_type** (string) - Required - Type of the application (e.g., `web`). - **response_types** (array of strings) - Required - List of response types supported by the application (e.g., `["id_token"]`). - **grant_types** (array of strings) - Required - List of grant types supported by the application (e.g., `["implicit", "client_credentials"]`). - **redirect_uris** (array of strings) - Required - List of redirect URIs for the application. - **client_name** (string) - Optional - Human-readable name for the client. - **client_name#ja** (string) - Optional - Japanese human-readable name for the client. - **jwks_uri** (string) - Optional - URL for the client's JSON Web Key Set (JWKS). - **logo_uri** (string) - Optional - URL for the client's logo. ### Request Example ```json { "application_type": "web", "response_types": ["id_token"], "grant_types": ["implicit", "client_credentials"], "initiate_login_uri": "https://client.example.org/lti", "redirect_uris": ["https://client.example.org/callback", "https://client.example.org/callback2"], "client_name": "Virtual Garden", "client_name#ja": "バーチャルガーデン", "jwks_uri": "https://client.example.org/.well-known/jwks.json", "logo_uri": "https://client.example.org/logo.png" } ``` ### Response #### Success Response (200) - **client_id** (string) - The unique identifier for the registered client. - **client_secret** (string) - The client secret, if applicable for the authentication method. - **registration_access_token** (string) - An access token that can be used to update or delete the client registration. - **registration_client_uri** (string) - A URI that can be used to retrieve, update, or delete the client registration. #### Response Example ```json { "client_id": "some-client-id", "client_secret": "some-client-secret", "registration_access_token": "some-registration-access-token", "registration_client_uri": "https://server.example.com/connect/register/some-client-id" } ``` ``` -------------------------------- ### HTTP 400 Bad Request - Invalid Scope Example Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 Demonstrates an example of an error response from an authorization server when a requested scope is invalid. This follows the RFC6749 standard for error messages. ```HTTP HTTP/1.1 400 Bad Request Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache ``` ```JSON { "error" : "invalid_scope" } ``` -------------------------------- ### Tool JWT Example Claims Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 An example JSON structure illustrating the claims typically found within a Tool JWT. This includes issuer, audience, nonce, expiration time, and issue time. ```json { "iss": "s6BhdRkqt3", // Client Identifier of the Client "aud": "https://lms.uofexample.edu", // Platform Issuer Identifier "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970 } ``` -------------------------------- ### Example JWK Set with RSA Keys (JSON) Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 This example demonstrates a JSON Web Key (JWK) Set containing two RSA public keys. Each key includes parameters like 'e' (exponent), 'use' (public key use), 'alg' (algorithm), 'kty' (key type), 'n' (modulus), and 'kid' (key ID). This structure is used for exchanging and validating cryptographic keys. ```json { "keys": [{ "e": "AQAB", "use": "sig", "alg": "RS256", "kty": "RSA", "n": "oNqXxxWuX7LlovO5reRNau5f96K_o3DJx-wK7lrjBmp0qKwNszbbp8MvfrlVs-oYXfj1rzqAeY6GJF5BETViDTT0i2fEz37J0HGAeTrO7Z5zI5Ure9Cb0lulLOZj1hF8piZzWW_z_set2NyhafoZ-IG1NSe61mqHu7mTjuHYST84igz-bPKhkJAVlmPPjHTO51hG9T_roVIkjXnvgqd2dCaJ0ExT2bR96jcyausbkdDNfPtJdfSCAWYXGQnt0PmIysOHPtCkyFqv5ez8KXT7Q4CAYd7nxwfWNOFRHyLAyF__cYEJlBEKGyJniSIPtkGBWrbXUQhKF6TEFa-RRRl8Dw==", "kid": "1516918956_0" }, { "e": "AQAB", "use": "sig", "alg": "RS256", "kty": "RSA", "n": "kMfHwTp2dIYybtvU-xzF2E3dRJBNBtNbb-d3-Rm6nRUraxnTwZ6Fr1YpFBd1pnWzLzdtMv7ofCd28nx-1mfYZ6qhqPWF1RpGe2vVOSTmcu-QpA9h-rouqRKlv3jvXPn623Z2U1Wml0EIxyIzD3WLu7NkWEKSIcBzeY1TctpO5FSU3EyyCX1UoIMuvYBP9tiZlc74yIZvky-qT8Ej3S8L0JqhvD583E_uGMoLowguOl2yYr9zhubiqOxT3VsxvpJCu04TWmvf4XX34IQRyAHcPJFQ2QiBfLWvWyc6iP3JJYJvyapwc5vVEismryXnngyBX8NXHZaarMi6g5kTQi8itw==", "kid": "1516918956_1" }] } ``` -------------------------------- ### JWT Access Token Payload Example (JSON) Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 An example JSON payload for a JWT used as an LTI access token. It includes standard JWT claims like subject, issued at, and expiration, along with LTI-specific scopes. ```json { "sub" : "www.example.com", "iat" : "1485907200", "exp" : "1485907500", "imsglobal.org.security.scope" : "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem https://purl.imsglobal.org/spec/lti-ags/scope/result/read" } ``` -------------------------------- ### Client Registration Response (HTTP) Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 An example of an HTTP 201 Created response after a successful client registration. The response includes client credentials such as `client_id`, `client_secret`, and their issuance/expiration times, along with all the client metadata provided in the request. The `client_secret` must be unique for each `client_id` and is used for authentication to the token endpoint. ```http HTTP/1.1 201 Created Content-Type: application/json; charset=utf-8 { "client_id": "4ad36680810420ed", "client_secret": "af7aa0d679778e12", "client_id_issued_at": 1565715850, "client_secret_expires_at": 1597338250, "client_name": "Example Consumer", "client_uri": "https://consumer.example.com/", "logo_uri": "https://consumer.example.com/logo.png", "tos_uri": "https://consumer.example.com/terms", "policy_uri": "https://consumer.example.com/privacy", "software_id": "c88b6ed8-269e-448e-99be-7e2ff47167d1", "software_version": "v4.0.30319", "redirect_uris": [ "https://consumer.example.com/Authorize" ], "token_endpoint_auth_method": "client_secret_basic", "grant_types": [ "authorization_code", "refresh_token" ], "response_types": [ "code" ], "scope": "https://purl.imsglobal.org/spec/clr/v1p0/scope/readonly" } ``` -------------------------------- ### Example HTTP 200 OK Authorization Response Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 This is an example of a successful HTTP response from an authorization server after validating a JWT. It returns a 200 OK status, specifies the content type as JSON, and includes an access token. ```http HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token" : "dkj4985kjaIAJDJ89kl8rkn5" ``` -------------------------------- ### IMS Global Security Response Payload Example (JSON) Source: https://www.imsglobal.org/spec/security/latest/index An example of a successful HTTP response payload for IMS Global Specification Security, presented in JSON format. It includes essential configuration details for an OpenID Connect provider. ```json HTTP/1.1 200 OK Content-Type: application/json { "issuer": "https://server.example.com", "authorization_endpoint": "https://server.example.com/connect/authorize", "token_endpoint": "https://server.example.com/connect/token", "token_endpoint_auth_methods_supported": ["private_key_jwt"], "token_endpoint_auth_signing_alg_values_supported": ["RS256"], "jwks_uri": "https://server.example.com/jwks.json", "registration_endpoint": "https://server.example.com/connect/register", "scopes_supported": ["openid", "https://purl.imsglobal.org/spec/lti-gs/scope/contextgroup.readonly", "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem", "https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly", "https://purl.imsglobal.org/spec/lti-ags/scope/score", "https://purl.imsglobal.org/spec/lti-reg/scope/registration"], "response_types_supported": ["id_token"], "subject_types_supported": ["public", "pairwise"], "id_token_signing_alg_values_supported": ["RS256", "ES256"], "claims_supported": ["sub", "iss", "name", "given_name", "family_name", "nickname", "picture", "email", "locale"] } ``` -------------------------------- ### Successful Registration Response Source: https://www.imsglobal.org/spec/security/latest/index Upon successful registration, the platform returns the newly created client_id and echoes the Tool's configuration. This response may include a Client Configuration Endpoint and a Registration Access Token for managing the client's configuration. ```APIDOC ## POST /connect/register ### Description Successful client registration response. ### Method POST ### Endpoint /connect/register ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body (See example below for typical fields, actual fields may vary based on platform capabilities) ### Request Example ```json { "policy_uri": "https://client.example.org/privacy", "policy_uri#ja": "https://client.example.org/privacy?lang=ja", "tos_uri": "https://client.example.org/tos", "tos_uri#ja": "https://client.example.org/tos?lang=ja", "token_endpoint_auth_method": "private_key_jwt", "contacts": ["ve7jtb@example.org", "mary@example.org"], "scope": "https://purl.imsglobal.org/spec/lti-ags/scope/score https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly" } ``` ### Response #### Success Response (200 OK) - **client_id** (string) - The unique identifier for the newly registered client. - **registration_client_uri** (string) - URI for the client configuration endpoint. - **application_type** (string) - Type of the application (e.g., 'web'). - **response_types** (array) - Allowed OAuth 2.0 response types. - **grant_types** (array) - Allowed OAuth 2.0 grant types. - **initiate_login_uri** (string) - URI for initiating login. - **redirect_uris** (array) - Allowed redirect URIs. - **client_name** (string) - Human-readable name for the client. - **jwks_uri** (string) - URI for the client's JSON Web Key Set. - **logo_uri** (string) - URI for the client's logo. - **token_endpoint_auth_method** (string) - Method for authenticating the client at the token endpoint. - **contacts** (array) - List of contact email addresses. - **scope** (string) - The scopes the client is requesting. #### Response Example ```json { "client_id": "709sdfnjkds12", "registration_client_uri": "https://server.example.com/connect/register?client_id=709sdfnjkds12", "application_type": "web", "response_types": ["id_token"], "grant_types": ["implicit", "client_credentials"], "initiate_login_uri": "https://client.example.org/lti", "redirect_uris": ["https://client.example.org/callback", "https://client.example.org/callback2"], "client_name": "Virtual Garden", "jwks_uri": "https://client.example.org/.well-known/jwks.json", "logo_uri": "https://client.example.org/logo.png", "token_endpoint_auth_method": "private_key_jwt", "contacts": ["ve7jtb@example.org", "mary@example.org"], "scope": "https://purl.imsglobal.org/spec/lti-ags/scope/score" } ``` ``` -------------------------------- ### Successful Client Registration Response (JSON) Source: https://www.imsglobal.org/spec/security/latest/index This JSON object represents a successful response from a platform after a tool has registered. It includes the newly created client_id and echoes the tool's configuration as recorded by the platform, potentially differing from the initial request. ```json { "client_id": "709sdfnjkds12", "registration_client_uri": "https://server.example.com/connect/register?client_id=709sdfnjkds12", "application_type": "web", "response_types": ["id_token"], "grant_types": ["implicit", "client_credentials"], "initiate_login_uri": "https://client.example.org/lti", "redirect_uris": [ "https://client.example.org/callback", "https://client.example.org/callback2" ], "client_name": "Virtual Garden", "jwks_uri": "https://client.example.org/.well-known/jwks.json", "logo_uri": "https://client.example.org/logo.png", "token_endpoint_auth_method": "private_key_jwt", "contacts": ["ve7jtb@example.org", "mary@example.org"], "scope": "https://purl.imsglobal.org/spec/lti-ags/scope/score" } ``` -------------------------------- ### JWT Claim Set Payload Example Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 This is an example of the claim set payload for a JWT used in OAuth 2.0 client-credentials grant. It includes essential claims like issuer, subject, audience, issued at, expiration time, and a unique JWT ID. ```json { "iss" : "tool.com", "sub" : "www.example.com", "aud" : ["https://www.example.com/lti/auth/token"], "iat" : "1485907200", "exp" : "1485907500", "jti" : "29f90c047a44b2ece73d00a09364d49b" } ``` -------------------------------- ### GET /.well-known/openid-configuration Source: https://www.imsglobal.org/spec/security/latest/spec/security/v1p1 The OpenID Provider Configuration Document is queried using an HTTP GET request to the OpenID Configuration URL. This endpoint returns a JSON object containing claims about the OpenID Provider's configuration, including necessary endpoints and public key information. ```APIDOC ## GET /.well-known/openid-configuration ### Description Retrieves the OpenID Provider Configuration Document, which contains essential information about the OpenID Provider's endpoints and supported features. ### Method GET ### Endpoint `{OpenID Configuration URL}` ### Parameters #### Query Parameters - **r** (string) - Optional - An example query parameter that may be included in the OpenID Configuration URL. ### Request Example ```http GET /.well-known/openid-configuration?r=7462647772 HTTP/1.1 Host: platform.example.com Accept: application/json ``` ### Response #### Success Response (200) - **issuer** (string) - REQUIRED. Platform's issuer value. A URL using the `https` scheme with no query or fragment component. - **authorization_endpoint** (string) - REQUIRED. URL of the OAuth 2.0 Authorization Endpoint. - **token_endpoint** (string) - REQUIRED. URL of the endpoint for the tool to request a token. - **jwks_uri** (string) - REQUIRED. URL of the Platform JWK Set endpoint. - **registration_endpoint** (string) - REQUIRED. URL of the registration endpoint. - **scopes_supported** (array) - REQUIRED ARRAY. Contains `openid` and supported scopes. - **response_types_supported** (array) - REQUIRED ARRAY. Must contain `id_token` and may offer additional values. - **subject_types_supported** (array) - REQUIRED ARRAY. Supported Subject Identifier types (`public`, `pairwise`). - **id_token_signing_alg_values_supported** (array) - REQUIRED ARRAY. Must contain `RS256` and may offer additional values. - **token_endpoint_auth_methods_supported** (array) - REQUIRED ARRAY. Must contain `private_key_jwt` and may offer additional values. - **token_endpoint_auth_signing_alg_values_supported** (array) - REQUIRED ARRAY. Supported signing algorithms for token endpoint authentication. #### Response Example ```json { "issuer": "https://platform.example.com", "authorization_endpoint": "https://platform.example.com/auth", "token_endpoint": "https://platform.example.com/token", "jwks_uri": "https://platform.example.com/jwks", "registration_endpoint": "https://platform.example.com/register", "scopes_supported": [ "openid", "https://purl.imsglobal.org/spec/lti/scope/context/readonly", "https://purl.imsglobal.org/spec/lti/scope/course/readonly" ], "response_types_supported": [ "id_token" ], "subject_types_supported": [ "public" ], "id_token_signing_alg_values_supported": [ "RS256" ], "token_endpoint_auth_methods_supported": [ "private_key_jwt" ], "token_endpoint_auth_signing_alg_values_supported": [ "RS256" ] } ``` ```