Found this content helpful? Log in or sign up to leave a like!

Trouble with scopes on OAuth2 access tokens generated via LTI Key

Jump to solution
mismailzai
Community Novice
‎06-17-2020 05:09 PM

I'm hoping someone can clarify a few things in regards to Developer Keys and OAuth2 access tokens.

Canvas allows me to create two types of Developer Keys: API Key and LTI Key.

When I create an API Key and configure it via an XML configuration file, I do not need to specify any scopes. Later, when I use this API Key to trigger an OAuth2 flow, I can successfully launch my application and request an unscoped OAuth2 access token for the launching Canvas user using the authorization_code grant. Finally, I can use this token to access the Canvas API on behalf of my user

But when I create an LTI Key and configure it via a JSON configuration file, I cannot omit scopes. According to the documentation (Configuring LTI Advantage Tools - Canvas LMS REST API Documentation ) the scopes I provide will "be allowed when using the client_credentials grant to access LTI services." I am reading this to mean that these scopes have no effect on the user-based OAuth2, since that uses the authorization_code grant. Nevertheless, I have added the complete list of scopes from the documentation (Configuring LTI Advantage Tools - Canvas LMS REST API Documentation ) to my JSON configuration file (since I cannot omit them).

Having done this, I am still unable to request an unscoped OAuth2 access token for the launching Canvas user using the authorization_code grant -- when I attempt to do so, I receive an invalid_scope error.

If I add valid API scopes to my OAuth2 flow, such as url:GET|/api/v1/users/:user_id/courses, I still receive an invalid_scope error. In fact, the only scopes I can add without receiving this error are scopes that exist in my JSON configuration file, which are limited to IMS-specific ones like https://purl.imsglobal.org/spec/lti-ags/scope/lineitem. Unfortunately, this means that the access token generated by the OAuth2 flow do not allow me to access the Canvas API on behalf of my user -- when I attempt to do so, I receive an Insufficient scopes on access token error.

So to summarize, when I use an API Key, I can run a user through the OAuth2 flow, generate an access token, and use it to access the Canvas API. When I use an LTI Key, I can run a user through the OAuth2 flow, generate an access token, but cannot use that token to access the Canvas API.

So my questions are:

  1. Is the preferred and correct way to build a Canvas integration to use an LTI Key? If so, what am I missing.
  2. Can I use OAuth2 tokens generated via an LTI Key Developer Key to access arbitrary Canvas endpoints?
Labels (1)
Labels
1 Solution

Jump to solution
cmerchant
Instructure Alumni
Instructure Alumni
‎06-29-2020 08:00 PM

LTI keys are not intended to replace the use of an API key – If a tool is installed via an LTI key and needs to access the Canvas API, the tool still must use an API key to do so. LTI keys can only be used for the 'client_credentials' grant flow, and cannot access the majority of Canvas' APIs.

The two primary functions of LTI keys are:

  1. To store configuration information of the tool, similar to the XML-based setup used by older LTIs.
  2. Allow the tool a way of accessing LTI-specific endpoints that are defined in the LTI 1.3 specification.

View solution in original post