[WIP] JWT Authentication mechanism #50
Description
Background
Currently, there are only two approaches for securing external access to Opencast resources (e.g., from LMS platforms):
-
LTI Authentication
- ✅ Provides a solid security layer
- ✅ Allows routing of requests to a specific target module
- ❌ Launch calls are complex and error-prone
- ❌ Relies on sessions/cookies, which are increasingly blocked by modern browsers, resulting in fragile integrations
- ❌ Requires extensive configuration on both system and server levels
-
Stream Security
- ✅ Temporarily secures access to specific media files
- ❌ Reliability issues in real-world usage
- ❌ Considered outdated and not well maintained
LMS Integration Overview
Three major LMS platforms currently integrate with Opencast through PHP-based plugins:
-
Moodle
- Supports LTI Authentication (optionally)
-
ILIAS
- Uses Stream Security
- Does not support Secure Static Files
-
Stud.IP
- Requires LTI Authentication
Proposed Concept
Once the JWT module in Opencast is functional, it should be integrated into the Opencast PHP library to modernize and simplify secure access for all LMS plugins.
Aim
To support all LMS platforms via the Opencast PHP library using JWT-based authentication, thereby improving integration security, reducing configuration complexity, and avoiding browser-based session limitations.
Recommended JWT Strategy
Use JWT tokens in API calls via URL query strings.
Why this approach?
- Minimizes the need for changes in the LMS plugins themselves
- Keeps all implementation and logic changes within the PHP library
- Can be introduced as an optional mechanism without disrupting existing setups
Next Steps
- Finalize and stabilize the JWT module in Opencast / Waiting for a beta-version at least!
- Extend the Opencast PHP library to support JWT-based access
- Evaluate integration with existing LMS plugins
- Optionally enable JWT authentication for improved security and flexibility