问题
This document refers to an auth token parameter being passed to the launched activity
https://github.com/RusticiSoftware/launch/blob/master/lms_lrs.md
What is this parameter, and how is it used/passed back to the LRS with statements to authorise them? The API spec only refers to OAuth which uses different parameters, and http basic auth which is username/password.
https://github.com/adlnet/xAPI-Spec/blob/master/xAPI.md#security
回答1:
The "auth" query string value is intended for HTTP basic auth, it's to be passed after "Basic " in the HTTP Authorization header. That's not clear at all from the document you linked, that is how current adopters have implemented it. Since Basic Auth expects a base64 encoded username/password there, in practice this means the token sent by the LMS has to be a base64 encoded username/password, but the client shouldn't have to inspect it.
Some history: I originally created this document as a proposal for how an LRS could be integrated with an LRS, and expected some rounds of feedback and improvement during the development of the xAPI spec. That hasn't happened, but in the meantime there has been demand for a way to launch xAPI content and this mechanism has been widely adopted. CMI-5 is going to include a launch mechanism, and it's using this mechanism as a starting point: https://github.com/AICC/CMI-5_Spec_Current/blob/master/cmi5_runtime.md#80-content-launch-mechanisms. CMI-5 is still subject to change, so for now folks are sticking with this launch mechanism, but not particularly interested in refining it because of the expectation that it will be replaced.
That said, the omission you brought up is severe and it might be time to add some clarifications based on how the launch mechanism is being used in the wild.
回答2:
Basic auth token follows standard basic auth formatting of username:password such as:
someusername:somepassword
Then base 64 encoded:
c29tZXVzZXJuYW1lOnNvbWVwYXNzd29yZA==
Prepend the word Basic and a space:
Basic c29tZXVzZXJuYW1lOnNvbWVwYXNzd29yZA==
Finally URL encoded:
auth=Basic%20c29tZXVzZXJuYW1lOnNvbWVwYXNzd29yZA%3D%3D
For example, with a SCORM cloud account you can get these from LRS section under Activity Providers. Where Key==Username and Secret==Password.
来源:https://stackoverflow.com/questions/24235539/tin-can-launch-auth-parameter