LTI Integration Support in LMS
LTI (Learning Tools Interoperability) is an IMS Global standard for embedding external educational tools in an LMS. Through LTI, instructors configure Kahoot, Phet Simulations, Coursera for Campus, Microsoft Teams once — and students launch them directly from the LMS without separate registration.
LTI Versions
- LTI 1.1 — legacy, OAuth 1.0 signing. Still used by many vendors.
- LTI 1.3 — modern standard, OAuth 2.0 + OpenID Connect. Required for new integrations.
LTI 1.3 — Platform Role (Your LMS)
Your LMS acts as Platform (IMS terminology). External tool is Tool. Process:
- User clicks LTI link in LMS
- LMS initiates OIDC Login Request to Tool
- Tool responds with Auth Request
- LMS creates signed JWT and POSTs to Tool
- Tool validates JWT via LMS JWKS
import { Provider } from 'ltijs'; // npm install ltijs
// Setup LMS as LTI Platform
Provider.setup(
process.env.LTI_ENCRYPTION_KEY!, // 32+ chars for cookie encryption
{
url: process.env.DATABASE_URL!,
plugin: require('ltijs-postgresql'), // PostgreSQL adapter
},
{
cookies: { secure: true, sameSite: 'None' },
devMode: process.env.NODE_ENV !== 'production',
}
);
// Register external tool
await Provider.registerPlatform({
url: 'https://tool.example.com',
name: 'Kahoot Integration',
clientId: process.env.KAHOOT_CLIENT_ID!,
authenticationEndpoint: 'https://tool.example.com/lti/auth',
accesstokenEndpoint: 'https://tool.example.com/lti/token',
authConfig: {
method: 'JWK_SET',
key: 'https://tool.example.com/.well-known/jwks.json',
},
});
// Tool launch handler
Provider.onConnect(async (token, req, res) => {
const { email, name, role } = token.userInfo;
const contextId = token.platformContext.context?.id;
// Check/create user in external tool
res.json({ token: token.jwt });
});
await Provider.deploy({ serverless: true });
LTI 1.1 — for Legacy Tools
Some vendors (Phet, certain tests) still use LTI 1.1 with OAuth 1.0 signing:
import oauth from 'oauth-signature';
function launchLti11(
launchUrl: string,
consumerKey: string,
consumerSecret: string,
params: Record<string, string>
): { url: string; method: 'POST'; body: string } {
const baseParams: Record<string, string> = {
lti_message_type: 'basic-lti-launch-request',
lti_version: 'LTI-1p0',
oauth_callback: 'about:blank',
oauth_consumer_key: consumerKey,
oauth_nonce: crypto.randomUUID().replace(/-/g, ''),
oauth_signature_method: 'HMAC-SHA1',
oauth_timestamp: String(Math.floor(Date.now() / 1000)),
oauth_version: '1.0',
...params,
};
const signature = oauth.generate('POST', launchUrl, baseParams, consumerSecret, '');
baseParams.oauth_signature = signature;
const body = new URLSearchParams(baseParams).toString();
return { url: launchUrl, method: 'POST', body };
}
// Tool launch page
app.get('/courses/:courseId/tools/:toolId/launch', authenticate, async (req, res) => {
const tool = await db.ltiTools.findById(req.params.toolId);
const enrollment = await db.enrollments.findByCourseAndUser(
req.params.courseId, req.user.id
);
if (tool.version === '1.1') {
const launch = launchLti11(tool.launch_url, tool.consumer_key, tool.consumer_secret, {
resource_link_id: `${req.params.courseId}-${req.params.toolId}`,
resource_link_title: tool.name,
user_id: req.user.id,
lis_person_name_full: req.user.name,
lis_person_contact_email_primary: req.user.email,
roles: enrollment.role === 'instructor' ? 'Instructor' : 'Student',
context_id: req.params.courseId,
context_title: enrollment.courseTitle,
});
// Auto-submit form via HTML
res.send(`
<!DOCTYPE html>
<html>
<body>
<form id="lti" method="POST" action="${launch.url}">
${Object.entries(Object.fromEntries(new URLSearchParams(launch.body)))
.map(([k, v]) => `<input type="hidden" name="${k}" value="${v}" />`)
.join('\n')}
</form>
<script>document.getElementById('lti').submit();</script>
</body>
</html>
`);
}
});
Tool Configuration Storage
CREATE TABLE lti_tools (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
course_id UUID REFERENCES courses(id),
name VARCHAR(255) NOT NULL,
version VARCHAR(10) NOT NULL, -- '1.1' | '1.3'
-- LTI 1.1
launch_url TEXT,
consumer_key VARCHAR(255),
consumer_secret TEXT,
-- LTI 1.3
client_id VARCHAR(255),
platform_id VARCHAR(255),
deployment_id VARCHAR(255),
oidc_auth_url TEXT,
jwks_url TEXT,
-- Settings
open_in_new_tab BOOLEAN DEFAULT false,
custom_params JSONB DEFAULT '{}',
created_at TIMESTAMPTZ DEFAULT now()
);
Getting Results via LTI Outcomes (1.1)
// Tool can send grades back to LMS
app.post('/lti/grade', async (req, res) => {
const { sourcedId, score, action } = parseLtiOutcomesXml(req.body);
// sourcedId contains userId and resourceLinkId
const [userId, resourceId] = parseLisResultSourcedId(sourcedId);
await db.ltiGrades.upsert({
userId,
resourceId,
score: Number(score),
receivedAt: new Date(),
});
// Update course progress
await updateCourseProgress(userId, resourceId, Number(score));
res.type('application/xml').send(`
<?xml version="1.0" encoding="UTF-8"?>
<imsx_POXEnvelopeResponse xmlns="http://www.imsglobal.org/services/ltiv1p1/xsd/imsoms_v1p0">
<imsx_POXHeader>
<imsx_POXResponseHeaderInfo>
<imsx_version>V1.0</imsx_version>
<imsx_messageIdentifier>${crypto.randomUUID()}</imsx_messageIdentifier>
<imsx_statusInfo>
<imsx_codeMajor>success</imsx_codeMajor>
<imsx_severity>status</imsx_severity>
</imsx_statusInfo>
</imsx_POXResponseHeaderInfo>
</imsx_POXHeader>
<imsx_POXBody><replaceResultResponse /></imsx_POXBody>
</imsx_POXEnvelopeResponse>
`);
});
Timeframe
LTI 1.1 integration (Consumer + Launch + Grades) — 3–5 days. LTI 1.3 with OIDC flow via ltijs — 1 week. Support both + tool management UI — 2 weeks.