Clarification request on ensuring remote launches are supported by vendors. #785
Comments
I understand your point, but do you have a recommendation of how to make it less ambiguous? IMO there isn't much ambiguous about a term that is defined in a set of definitions. It is pretty unreasonable for them to make a leap from the word "session" which is defined in a set of terms in a specification to have it mean something other than that definition. Them requiring anything other than that the request uses the POST method and the full URL itself is beyond the scope of the spec and very likely to break implementations as you've pointed out. I'd go much further than requiring cookie based authentication as being "annoying", it will just continue to break implementations going forward and although I suppose it isn't in technical violation of the spec, it certainly is in violation of the intent of the spec as you've pointed out.
In general the WG has mostly disagreed with this stance historically, as people ignoring definitions can't generally be satisfied regardless of brevity. (Note I'm all for clarifications, especially outside of actual "requirements", I just don't know what that clarity looks like in this case.) |
|
Hi @brianjmiller, Thanks for the reply,
I'm not insistent on this at all, (and you say the working group doesn't seem keen on it) but I think Personally I'd like to be surprised by an unknown/scoped term which makes me consult the documentation and have to look it up or ask someone like you (thanks for the help so far).
Well put, how the specification could solve intent disputes is beyond me! It's hard enough to deal with a closed source vendor who seems willing to argue the spec on this one.. I might refer them to the definition section on session since they argued that it's their LMS session. If anyone from the working group could somehow make some sort of clarification around the "purity" of the fetch process that would be great. By purity I mean that it shouldn't be stateful from the AU's prospective. The LMS should be encoding state in the fetch URL not via the browser. |
|
closed per Feb 9th meeting |
Hi All!
We're in the process of implementing CMI5 for our content authoring system. We've been testing with ScormCloud and the Catapult CTS with little issues.
Specifically we want to support standardised "remote" launches from the LMS to our live servers. We already implement LTI but we're extending our support for more vendors.
We've had a bit of a communication issue with a LMS vendor. Their implementation is created as a set of plugins to LMS'ify Wordpress.
The vendor seems to interpret the following exert from the specification as referring to their own LMS session (
the session):https://github.com/AICC/CMI-5_Spec_Current/blob/quartz/cmi5_spec.md#821-overview
We're trying to fetch their token as outlined in the specification, we're doing this remotely (cross origin) from our servers (not the browser). However they're requiring that we use their WordPress cookie in order for them to match to this session, it's user and use that information to authenticate said user to their LRS.
I would personally just add a parameter to fetch url that is a jwt token to identify the agent. That way no session based context is needed from the AU apart from the fetch URL.
We understand their implementation from a security/ease-of-implementation point of view but in our interpretation of the specification and it's adverts around "supporting remote launches" and more than just HTTP protocols (which would make cookie based authentication pretty annoying):
https://github.com/AICC/CMI-5_Spec_Current/blob/quartz/cmi5_spec.md#url
All in all I think referring to "the session" is a little ambiguous, I know that
Sessionis defined in the definitions. I think since we've just seen a case in the wild of people ignoring the definition it might pay to be a little more explicit at the site (here) at the cost of brevity.Any chance of a clarification or update here?
Many thanks for your work on the specification and assistance with those implementing it :)
The text was updated successfully, but these errors were encountered: