What is the legit way to get user profile information?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been barking up multiple trees trying to make sense of this.
I am setting up an LTI 1.3 tool - and while an `id_token` during launch COULD contain the user `email` (and thus give our tool a way to ID an internal user that matches) - I know a school/district using Canvas may prefer to not include this PII in the JWT. And as such I'm trying to sort out different ways to get the user information (with a Canvas admin's full permission):
1. get manual access token from admin's account to call API to get info - violates policy (https://canvas.instructure.com/doc/api/file.oauth.html#manual-token-generation)
2. advise Canvas admin to create a "limited admin" account with constrained permissions for our Tool to generate its own access token - could this violate the same policy? I can't tell
3. do the OAuth2 in-browser flow with auth code / access token dance to get "/self/user_profile" which contains the email address; requires the individual user, e.g. a student, to "authorize" this
- asking student's authorization feels clunky UX-wise, and also I have to imagine could be confusing to a student who is not in the business of determining what data to share between Canvas and the LTI tool
- maybe violates another policy? (having a student authorize access to the LTI tool)
4. match on provided SIS user id in LTI variable substitutions - is this possibly the only way through without violating a policy?
Any clarification folks have here on what's on the up-and-up, what's ideal in the UX, and if there's another way through I am missing?
Best,
.dig