With an LTI 1.1 tool, you can have an LTI connect without having coordinating a client ID and secret. That is, you can ignore whatever is there, but that makes your system pretty open. Setting up a separate OAuth system is not required for LTI 1.1, but you wouldn't be able to act as the user if you weren't going through the OAuth process. If you had an access token generated through Canvas that was capable of making requests then you could use the Public setting for the privacy and get the information, then use the pre-generated token to fetch the information you needed.
Issues:
- That is very insecure without the secrets to the authorization part.
- Tokens had the full permissions of the user from which they were created. If you're using an admin token because you need to do something like masquerade as another user, then you had full admin rights. That is a huge security risk to give to students.
- LTI 1.1 has been deprecated. There are patches to add more security, but Canvas has said they're so major that they will not implement them and people need to go to LTI 1.3.
External apps that support LTI 1.3 and LTI Advantage require configuration using a client ID. This can be configured by the local Canvas administrator where they can also scope what permissions you are granted. LTI 1.3 apps must be configured by an admin before they can be added to the account or course so people can use them. The client ID and secret are used as part of the launch process.
OAuth2 allows you to perform actions as a user without getting their password. Applications in use by multiple users must use OAuth2. Asking someone to manually generate a password and enter it into your application is a violation of the terms of service. This is true for both LTI 1.1 and LTI 1.3. The reason that my LTI 1.1 was able to get by without OAuth2 is that I didn't make any API calls on their behalf, I just managed things in a local database. I did use the Public privacy setting because I needed their SIS ID.