Found this content helpful? Log in or sign up to leave a like!

Any way to use OpenID Connect authentication directly for SSO without requiring an LTI Launch starting in Canvas?

Jump to solution
DanJohnson
Community Member
‎10-08-2023 06:39 PM

Launching a tool from within canvas works fine for intructors but occasionally users may need to access the tool directly without clicking from from a course.

Open ID Connect does allow for this, but when we try to authenticate this way we receive an error from Canvas stating that is a bad request and that "lti_message_hint" is not provided and when we do provide it (base64 url encoded with the canvas_domain) then it gives us a bad request "Invalid lti_message_hint" and we can't see how to make this work.

Is there any way to authenticate with the Lti Key using Open ID connect, in the same way that we can do that using the oauth flow for the regular developer keys?

If we did want to use Canvas for SSO without requiring an Lti launch, are we looking at the wrong place?

Thanks
Dan

3.1.2.1 of the below covers the auth request.
https://openid.net/specs/openid-connect-core-1_0.html

This is basically and example of what we are submitting when we get the bad request responses.
https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html

https://sso.canvaslms.com/api/lti/authorize_redirect?
   response_type=id_token
   &response_mode=form_post
   &client_id=some_client
   &scope=openid
   &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcallback
   &state=DcP7csa3hMlvybERqcieLHrRzKBra
   &nonce=2T1AgaeRTGTMAJyeDMN9IJbgiUG

 

0 Likes
1 Solution

Jump to solution
matthew_buckett
Community Contributor
‎10-09-2023 02:26 AM

As far as I'm aware it's not possible to use a LTI Developer Key to allow users to directly login to your application (ie without them clicking on something in Canvas). However if you create an API Developer Key then you can use that to get the user to login to your application, you need to use the scope=/auth/userinfo parameter as outlined on: https://canvas.instructure.com/doc/api/file.oauth.html#oauth2-flow

This should allow you to get the ID of the user who is logged into Canvas and then as long as you saved the ID of the user from the LTI launch (it's not passed by default) you should be able to log the user into the correct account.

 

View solution in original post