I'm having a tough time finding documentation on how sessionless launch URLs work. The API docs describe how to retrieve them (External Tools - Canvas LMS REST API Documentation ) but it's a bit unclear to me how they are used. They seem to permit a single-use launch of the tool, but how is authentication handled without the HTTP POST of a typical LTI 1.x tool launch?
To help me wrap my mind around it, I would be very grateful if someone could sketch out a use-case or two --even in super broad strokes-- outlining how and in what scenarios sessionless URLs are best used.
Hi Erik --
The sessionless launch URLs actually point back to Canvas rather than to the LTI tool, and then Canvas generates the regular LTI 1.1 POST request that launches the tool. Canvas uses the "verifier" token to look up all of the user and context information that would otherwise have been found in the session for a normal LTI launch.
An interaction diagram of the process might look something like this:
This is quite similar to what happens when a user clicks on a link to an LTI tool that appears in course navigation:
It's important to note that the sessionless launch URL bypasses Canvas authentication, and while it can only be used once it does allow the user to launch the tool as whoever generated the link in the first place.
Hope this helps! (I'm also interested to hear what others have to say about use cases!)
I have another usecase which you can help me. I am looking for using the session less launch url in deeplinking (at Rich Content Editor). I tried the Canvas API and getting the Sessionless launch url always for "basic_lti_launch". But how could i get the sessionless launch url for deep linking "ContentItemSelection" . I tried querying API in all possible ways but all the urls are navigating me to basic_lti_launch.
We have an LTI which will display all LTI Tools which are eligible for deeplinking and on click of that tool we would like to open that tool through sessionless_launch url in an (iframe/Seperate Tab ) and select the content inside that tool and deeplink in Rich Content Editor.##
I was unable to get sessionless URLs to work on beta and test instances of our Instructure hosted instances and am guess that this is because we block students from accessing our beta/test instances.
The same calls but pointed at our production instance works fine.