We have an LTI tool that is currently added to courses individually using the client id.  If, for example, the course admin then clicks on "Our Tool" in the Course Navigation we show them a list of the quizzes in their course.

This works fine for developers because we can grab a bearer token from our account and hard code that in; obviously this isn't a good production solution.

Is it correct that we should be using the Oauth flow so that course admins authorize our LTI tool to make API calls on their behalf, i.e. we get their bearer token?  It seems like a bit of a UX issue that a course admin would add the LTI Tool, and then, upon using the navigation item that the LTI Tool provides, have to authorize the app again (albeit just one time, as long as we can hang onto the refresh token).

Additionally, what is the correct scope for getting course information? I see the scopes provided with the respective endpoints, e.g. Scope: url:GET|/api/v1/courses but I get invalid scopes when I use these.  The only ones I've had success with so far look like "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem" but I can't seem to find a good reference for these.