cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
z_dusatko
Community Participant

OAuth2 and LTI

Jump to solution

Hello all,

I am building LTI tool which will use user access token to access the course info. I finally got LTI launch and oauth2 access token working. Now I am confused why I need two pairs of ids and secrets:
1. LTI Consumer Key, LTI Shared Secret (this is for LTI launch and it is set when registering the tool)

2. Client ID, Client Token (this is to get access token through oauth2, this is set separately in Canvas developer keys section).

I thought that the idea of using oauth2 after LTI is successfully launched was that I don't need any developer keys set beforehand manually.

Or is there some common rule to set them the same
LTI Consumer Key = Client ID
LTI Shared Secret = Client Token ?

Thanks,

Zbynek

Labels (2)
1 Solution

Accepted Solutions
pkreemer
Community Participant

Zbynek, I think I follow you here, and I'd say the overall ideas are that:

  1. LTI gets a Canvas user authenticated into your web application and,
  2. Client token gives your web app access back to the Canvas API.

So they handle very different parts of the overall process. Some LTI apps may not even need access back to Canvas, but it sounds like you do. So you'd set up and use a developer key, which in turn lets you get client tokens and access the Canvas REST API.

View solution in original post

3 Replies
pkreemer
Community Participant

Zbynek, I think I follow you here, and I'd say the overall ideas are that:

  1. LTI gets a Canvas user authenticated into your web application and,
  2. Client token gives your web app access back to the Canvas API.

So they handle very different parts of the overall process. Some LTI apps may not even need access back to Canvas, but it sounds like you do. So you'd set up and use a developer key, which in turn lets you get client tokens and access the Canvas REST API.

View solution in original post

z_dusatko
Community Participant

Hi Paul,

thanks for clearing that up. It just took me some time to find out what client id and client token is.
Z.

ag3811
Community Participant

Yes, the LTI key and secret are so that your tool knows whether the LTI request is coming from a user properly authenticated into an authorized Canvas instance.  The Canvas client ID and token are so that the Canvas instance knows that the your API request is coming from a properly authorized app.