Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Member

LTI consumer key and shared secret.

I am looking at the following library for LMS integration:

GitHub - smtech/oauth2-canvaslms: This package provides Canvas LMS OAuth 2.0 support for the PHP Lea... 

I am confused about where the 'consumer key' and 'shared secret' are used in the LTI tool.    The example:

use smtech\OAuth2\Client\Provider\CanvasLMS;session_start();/* anti-fat-finger constant definitions */define('CODE', 'code');define('STATE', 'state');define('STATE_LOCAL', 'oauth2-state');$provider = new CanvasLMS([    'clientId' => '160000000000127',    'clientSecret' => 'z4RUroeMI0uuRAA8h7dZy6i4QS4GkBqrWUxr9jUdgcZobpVMCEBmOGMNa2D3Ab4A',    'purpose' => 'My App Name',    'redirectUri' => 'https://' . $_SERVER['SERVER_NAME'] . '/' . $_SERVER['SCRIPT_NAME'],    'canvasInstanceUrl' => '']);/* if we don't already have an authorization code, let's get one! */if (!isset($_GET[CODE])) {    $authorizationUrl = $provider->getAuthorizationUrl();    $_SESSION[STATE_LOCAL] = $provider->getState();    header("Location: $authorizationUrl");    exit;/* check that the passed state matches the stored state to mitigate cross-site request forgery attacks */} elseif (empty($_GET[STATE]) || $_GET[STATE] !== $_SESSION[STATE_LOCAL]) {    unset($_SESSION[STATE_LOCAL]);    exit('Invalid state');} else {    /* try to get an access token (using our existing code) */    $token = $provider->getAccessToken('authorization_code', [CODE => $_GET[CODE]]);    /* do something with that token... (probably not just print to screen, but whatevs...) */    echo $token->getToken();    exit;}

Does not appear to use them.

5 Replies
Community Member

Also - I dont see consumer key or shared secret mentioned at all here:

OAuth2 - Canvas LMS REST API Documentation 

Community Member

just as a reference, I am using the following as a guide:

GitHub - mcjelewis/threadz: Threadz is a discussion visualization tool that adds real-time graphs an... 

In the code here it appears to use an OAuth2 mechanism?

Community Champion


I think this is how it works, but someone can correct me if I'm wrong without hurting my feelings. I'm speaking in general, not specifically about the library you're referring to.

The consumer key is used to let your software know which [Canvas] instance / organization is making the call. Use of it within your software is optional, but if you have more than one client connecting and want to make sure that you can tell them apart, then you should implement it. Also, if you are charging and want the ability to revoke someone's license when they don't pay, then you need some way to tell them apart and you need to invoke it. If you are making a publicly available resource and don't need to restrict people from using it, then you can tell them to put in anything they want and you just ignore it on your end.

The consumer key shows up in the LTI call as the oauth_consumer_key field. On your end, you should look up the information associated with that ID and find the secret key that you told the customer to use. This is most likely done before you invoke the LTI library since the LTI library needs to know the secret key to do its magic. You may find a library that handles this for you (I haven't looked into the libraries, including the one you're using), If you're not using the consumer key, then you can hard-code the secret key into the application. The secret key isn't transmitted directly in the request (that would defeat the security) by Canvas, but it is used to create the oauth signatures. If the secret key in Canvas doesn't match the secret key you have on your end, then the signatures won't match, and the oauth library you're using won't be able to authenticate and the library will reject the LTI attempt.

Community Champion

The LTI consumer key and shared secret have nothing to do with the client id/secret mentioned at OAuth2 - Canvas LMS REST API Documentation 

The LTI consumer key and shared secret authorise and authenticate an LTI tool launch.  These are given to you by the tool provider to enter into the LTI configuration when you add it to Canvas (if doing manual configuration).

If the LTI needs to make API calls it needs to be able to obtain an access token.  For multi-user applications this should be done using the API OAuth2 workflow (OAuth2 - Canvas LMS REST API Documentation).  For this, you generate a developer key and give the client id/secret to the tool provider.

Community Participant

But all this LTI API OAuth2 Workflow stuff? Please! ,

Am I expected to take time away from the subject matter I teach in order to learn this foreign language?  If the software can't be explained in more or less plain English, then it is not good software.  

I have a prompt for Consumer Key and Shared Secret.  Do I make that up? If not, where do I go to get it?