cancel
Showing results for 
Search instead for 
Did you mean: 
chris_morgan
Surveyor II

Can we configured LTI App for a particular user or course?

Jump to solution

I created a different developer key and LTI configuration for each teacher.  When I went to test the LTI app by masquerading as the Teacher, the popup was asking to authorize the last configuration that I generated. 

Can we configured LTI App for a particular user or course? If yes. please help us.

1 Solution

Accepted Solutions
phanley
Explorer III

I created a different developer key and LTI configuration for each teacher.  When I went to test the LTI app by masquerading as the Teacher, the popup was asking to authorize the last configuration that I generated. 

To expand Colin's response a little bit -- while you can't set a different key/secret you can either:

  • Create a tool for a domain and then create different course links (via modules, assignments, etc.) to different tools - the downside to this is that all links to the domain share a single configuration
  • You can create multiple tools that go to different urls on the same server, and these can each have their own configuration (key/secret and LTI Variable Substitutions)

However, I am suspecting from your question that the problem you're describing is related to sessions on your tool provider host and not LTI configuration.  

On your LTI launch page, make sure that you are resetting the session every time the page is loaded, or checking to see if the existing session is for the same user.  I'm not sure which language you're using, but in PHP it would be something like:

require_once 'vendor/ims-blti/blti.php';

    if ($_POST) {
        $lti = new BLTI(get_lti_secret(), true, false);

        if ($lti->valid) {
            session_start();
            $user_id = $_POST['custom_canvas_user_login_id'];

            // if session is set for someone else (due to masquerade) reset the $_session
            if ($_SESSION["USER_ID"] !== $user_id) {
                session_unset();
            }
            // etc. , etc.

View solution in original post

5 Replies
ericwerth
Community Coach
Community Coach

Hello  @chris_morgan , I am not familiar enough with LTI to answer your question, but I am going to share it with https://community.canvaslms.com/groups/canvas-developers?sr=search&searchId=fa23d9b2-5dba-453c-96ba-...‌ to see if anyone there can provide some insight.  You might consider joining this group and reviewing the resources posted here if you have not already.

Good luck!

ColinMurtaugh
Adventurer III

Hi Chris --

I'm not sure how you've got your test course(s) set up, but it's not possible to have separate key/secret configurations within the same course.  Since the key and secret are part of the details that you configure when you install the tool in the course, they're shared by all users who access the tool in the context of that course.

The key and secret aren't intended to be used to authenticate individual users; instead, they're used to authenticate the communication between the tool consumer and the tool provider. They are what allow you to check the authenticity of the other data that your tool is getting from the LMS, and then you can use that data to identify the user, course context, etc. 

The developer key also isn't meant to be tied to a specific user; it's what allows your tool to authenticate itself to the LMS and go through the process of obtaining a user token which then can be used to make API requests as that specific user.

I hope I'm understanding your question correctly! 

--Colin

phanley
Explorer III

I created a different developer key and LTI configuration for each teacher.  When I went to test the LTI app by masquerading as the Teacher, the popup was asking to authorize the last configuration that I generated. 

To expand Colin's response a little bit -- while you can't set a different key/secret you can either:

  • Create a tool for a domain and then create different course links (via modules, assignments, etc.) to different tools - the downside to this is that all links to the domain share a single configuration
  • You can create multiple tools that go to different urls on the same server, and these can each have their own configuration (key/secret and LTI Variable Substitutions)

However, I am suspecting from your question that the problem you're describing is related to sessions on your tool provider host and not LTI configuration.  

On your LTI launch page, make sure that you are resetting the session every time the page is loaded, or checking to see if the existing session is for the same user.  I'm not sure which language you're using, but in PHP it would be something like:

require_once 'vendor/ims-blti/blti.php';

    if ($_POST) {
        $lti = new BLTI(get_lti_secret(), true, false);

        if ($lti->valid) {
            session_start();
            $user_id = $_POST['custom_canvas_user_login_id'];

            // if session is set for someone else (due to masquerade) reset the $_session
            if ($_SESSION["USER_ID"] !== $user_id) {
                session_unset();
            }
            // etc. , etc.

View solution in original post

chofer
Community Coach
Community Coach

Hello there,  @chris_morgan ...

I have been reviewing older questions here in the Canvas Community, and I stumbled upon your question.  While I don't really have any answer for you myself, I did want to check in with you because we've not heard from you since you first posted this question on February 6, 2018.  It looks as though 50581462 and  @phanley  have given you some useful information here.  Have you had an opportunity to review their replies?  If so, did either of their responses help to answer your question?  Do you have any outstanding questions as it relates to your original question?  If you feel that either Colin's or Peter's response has helped to answer your question, please go ahead and mark it as "Correct".  However, if you are still looking for some assistance with this question, please let us know that as well by posting a message below.  For now, I am going to mark your question as "Assumed Answered" because we've not heard back from you in almost four months an because there hasn't been much new activity in this topic for about the same amount of time.  However, that will not keep you or others from posting additional questions and/or comments below which are related to this topic.  I hope that's alright with you, Chris.  Looking forward to hearing back from you soon.

Thanks for you response, Peter's response is helpful for me.