Launching a tool from within canvas works fine for intructors but occasionally users may need to access the tool directly without clicking from from a course.
Open ID Connect does allow for this, but when we try to authenticate this way we receive an error from Canvas stating that is a bad request and that "lti_message_hint" is not provided and when we do provide it (base64 url encoded with the canvas_domain) then it gives us a bad request "Invalid lti_message_hint" and we can't see how to make this work.
Is there any way to authenticate with the Lti Key using Open ID connect, in the same way that we can do that using the oauth flow for the regular developer keys?
If we did want to use Canvas for SSO without requiring an Lti launch, are we looking at the wrong place?
220.127.116.11 of the below covers the auth request.
This is basically and example of what we are submitting when we get the bad request responses.
https://sso.canvaslms.com/api/lti/authorize_redirect? response_type=id_token &response_mode=form_post &client_id=some_client &scope=openid &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcallback &state=DcP7csa3hMlvybERqcieLHrRzKBra &nonce=2T1AgaeRTGTMAJyeDMN9IJbgiUG
Solved! Go to Solution.
As far as I'm aware it's not possible to use a LTI Developer Key to allow users to directly login to your application (ie without them clicking on something in Canvas). However if you create an API Developer Key then you can use that to get the user to login to your application, you need to use the scope=/auth/userinfo parameter as outlined on: https://canvas.instructure.com/doc/api/file.oauth.html#oauth2-flow
This should allow you to get the ID of the user who is logged into Canvas and then as long as you saved the ID of the user from the LTI launch (it's not passed by default) you should be able to log the user into the correct account.