cancel
Showing results for 
Search instead for 
Did you mean: 
Surveyor

LTI 1.3/Advantage login_required issue

I am trying to implementing LTI1.3 external tool. I have added the tool's URL in canvas and calling Canvas authorization end point https://my_canvas_instance/api/lti/authorize_redirect as get method with the required parameters (login_hint, redirect_uri, client_id, state, lti_message_hint, prompt, nonce, response_type, response_mode, scope). 

Once the end point is called, Canvas redirects to Tool's redirect URI with error as 'login_required' and error description as 'Must have an active user session'.

I have verified my client_id. Everything looks fine. But, this error still occurs. Can someone help me out?

Labels (1)
0 Kudos
7 Replies
Surveyor

Any update about this issue?

Adventurer

LTI 1.3 uses the this part of the OpenID Connect specification, https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin where the Provider (Canvas) initiates the login to the Relying Parting (the tool you are writing). If you are writing a 3rd party tool and wanting users to login to it using their Canvas credentials then you are better off using OAuth 2 and the special scope: https://canvas.instructure.com/doc/api/file.oauth.html#oauth2-flow

Shouldn't Canvas provide a login screen for third party initiated login? Can you please help me with the implementation of LTI1.3 with openid connect?

In Oauth2 with special scope, I am not getting payload. I would require the payload (id_token) for my application.

Adventurer

Using LTI 1.3 you have to use the Third Party Initiated Login and so in that case the user is already logged in and it wanting to access a tool so Canvas doesn't need to present a login screen. This flow is used for when the user is already in Canvas and wants to use some functionality of your LTI 1.3 tool.

If you are wanting to use Canvas as an authentication source for your application then you don't need to do LTI 1.3 and can just use a standard OAuth2 flow with a scope of `/auth/userinfo` as outlined in https://canvas.instructure.com/doc/api/file.oauth.html#oauth2-flow

In that example the user accesses your application and isn't logged in, you send them off to a Canvas instance starting the OAuth2 flow, Canvas prompts them to login (if they aren't already) and then when they return you will get the details about who the user is (but that's all).

But, when the scope is /auth/userinfo, then as per canvas documentation (OAuth2 - Canvas LMS REST API Documentation), we will not be getting an access token. Can our application use canvas services without access token when scope is /auth/userinfo?

 

I will need user details like first name, last name. I will also need access token for accessing Canvas APIs.

 

 

 

Using LTI1.3 with an user logged into Canvas, I am getting an error login_required. Is there a solution for this? Since, Canvas doesn't need to present a login screen. Should I present a login page from tool end? Or am I doing anything wrong?

 

I have to integrate my tool with multiple LMS like Canvas, Blackboard, etc. Any help please?

Adventurer

The scope /auth/userinfo allows the user to select to remember the grant so that they don't get prompted every time they login. You can then send them back to Canvas to grant you a token with permissions to perform actions (when you get the token back you probably want to store it against the authenticated user), that way you can call the API on behalf of the user.

But all this is custom integration for Canvas and doesn't follow a standard so will need to be adapted for any other LMS/VLE (if it's even possible). Sticking to LTI 1.3/Advantage means your enhancements should be applicable to multiple LMS/VLE platforms.