Use the canvas API from an LTI 1.3

Jump to solution
xcesaralejandro
Community Explorer

Hello, I am currently trying a demo application with LTI 1.3 and php (I am new to LTI development), I would like to be able to work with more data from the canvas API although of course, working directly with the api makes my application less interoperable, but since it is a demo I would like to experiment.

In order to achieve this, I have had some doubts:
1.- When the LTI canvas is being authenticated, it returns a key called "authenticity_token". What is this really? What is it for?

2.- How can I consume an endpoint of the canvas api from the LTI? Should I register an api key by obligation and ask the user to authorize the application to obtain my bearer token and consume the api?

3.- How can I identify the user and course in question for the relationship between the LTI and the API? The LTI gives me a custom id for the user, since the substitution of variables I cannot directly send the user id to my LTI (only the sisSourceId) and the user ID to consume the API is totally different from the one delivered in the LTI , same for the course id.

Labels (4)
0 Likes
1 Solution
matthew_buckett
Community Contributor

Firstly LTI Advantage (which Canvas implements) allows you as a LTI 1.3 integration to make some API calls that other platforms (VLE/LMS) will also support. For these APIs you don't need any other key, you use the JWK registered with Canvas when you added your LTI developer key to sign these requests. The Canvas documentation pages for these endpoints are:

Instructure also have a few custom APIs that use the same authentication method, for example the API to lookup accounts, https://canvas.instructure.com/doc/api/accounts_(lti).html

  1.  The "authenticity_token" isn't part of the LTI 1.0 Security specification, I don't know what it's used for but as far as I'm aware you can't use it to call any Canvas APIs. 
  2. If you want to call any APIs that aren't LTI ones then you either need to generate a API developer key and get users to authorise the application after doing the LTI launch, or you need to generate a token as an admin and then use that token for all your requests, although if you go the admin token route watch out for rate limiting of your requests and also consider using the Masquerading parameter so that Canvas still does it's permission checks.
  3. If you want to know the internal Canvas details for the user then you should add some Variable Substitutions to your LTI launch so that the additional details you need are passed across. These will appear in the custom claim of the JWT that is sent across in the LTI launch.

View solution in original post