Securing LTI app communication after launch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2018
02:49 PM
Hello,
I was wondering if anybody has some input on best practices to secure tool provider after successful launch. I will have a rest api server (Java Spring with React.js) as a provider and I think it should create some web token (jwt or Spring might provide something already) for the current Canvas user and attach this web token with each http request in Authorization header. Since LTI was already successfully launched I assume I don't need another user login and this web token should be created automatically on providers server side. Basically how can I prevent middle man attack after LTI launch?
Thanks,
Zbynek