Is LTI always using oauth version 1.0?

Jump to solution
z_dusatko
Community Novice

Hello, 
I was following this LTI tutorial
Introduction to LTI Apps: Canvas Dev and Friends 
and at the same time was reading about canvas oauth 2.0 at
OAuth2 - Canvas LMS REST API Documentation 

It seems that Canvas is doing all oauth flow in background for its already installed LTI and it is up to the LTI tool to verify timestamp and auth signature, and so on. But why am I always getting "oauth_version": "1.0"?
Shouldn't there be an option to use oauth 2.0? Is it in XML configuration? Couldn't find it.
Thanks for any advice,
Zbynek

Labels (1)
1 Solution
pklove
Community Champion

It might be best not to read those at the same time as they do not relate to each other.

The LTI standard uses OAuth 1 purely as a signing mechanism. 

The Canvas OAuth 2 implementation is related to providing authentication for accessing the REST API.

An LTI tool might make use of the second if it is allowed to call the REST API, but this is completely unrelated to the LTI tool verifying its launch parameters.

View solution in original post