cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
z_dusatko
Community Participant

Is LTI always using oauth version 1.0?

Jump to solution

Hello, 
I was following this LTI tutorial
Introduction to LTI Apps: Canvas Dev and Friends 
and at the same time was reading about canvas oauth 2.0 at
OAuth2 - Canvas LMS REST API Documentation 

It seems that Canvas is doing all oauth flow in background for its already installed LTI and it is up to the LTI tool to verify timestamp and auth signature, and so on. But why am I always getting "oauth_version": "1.0"?
Shouldn't there be an option to use oauth 2.0? Is it in XML configuration? Couldn't find it.
Thanks for any advice,
Zbynek

Labels (1)
Tags (2)
1 Solution

Accepted Solutions
pklove
Community Champion

It might be best not to read those at the same time as they do not relate to each other.

The LTI standard uses OAuth 1 purely as a signing mechanism. 

The Canvas OAuth 2 implementation is related to providing authentication for accessing the REST API.

An LTI tool might make use of the second if it is allowed to call the REST API, but this is completely unrelated to the LTI tool verifying its launch parameters.

View solution in original post

4 Replies
pklove
Community Champion

It might be best not to read those at the same time as they do not relate to each other.

The LTI standard uses OAuth 1 purely as a signing mechanism. 

The Canvas OAuth 2 implementation is related to providing authentication for accessing the REST API.

An LTI tool might make use of the second if it is allowed to call the REST API, but this is completely unrelated to the LTI tool verifying its launch parameters.

View solution in original post

z_dusatko
Community Participant

Hi Peter,

thanks for your reply. I am a beginner, would you have some advice on best practices for building LTI? We would like to have our LTI access some Canvas resources (assignments), combine them with our data and store on our side permanently. We would also like to change LTI user interface depending on the role (student, instructor). We have admin access token to access Canvas API but I would prefer to do OAuth 2 for the current user and get access token this way. 

Thanks,

Z.

pklove
Community Champion

Sorry, don't have any advice on best practices.

But if you want to see what Canvas passes on an LTI launch we have a test tool at https://lti.netkno.nz/tp   You can use the consumer key / secret combination:  myschool.edu / letmein

And we have an example of going through the OAuth2 process at https://canexa.netkno.nz/

z_dusatko
Community Participant

That's great, thanks a lot!