Hi there, @kasey ...
I am assuming that you are a Canvas administrator and that you are looking at the information that is described in this Guide, https://community.canvaslms.com/docs/DOC-12586-4214674984 (specifically the information under the "Edit Login" section). When you click on "more...", you are shown information as you've described...including "Current login IP" and and "Last login IP". Unfortunately, that Guide does not describe that information at all, but I think it would be helpful for people to know. (I searched other Guides in that section, and I couldn't find anything.) You might want to post a comment to the bottom of the Guide that I linked to asking the Canvas Docs Team to include this information in the Guide.
I hope this helps a bit, Kasey. Please let Community members know if you have any other questions about this. Stay safe, be well.
Last request would suggest last activity (sending a page request) anywhere in the Canvas system. But this is not the case. Looking at the source code, it's tied to the last_login_time field of the pseudonym. So all three values there are login times, which may mean nothing depending on how the mobile app works (below I show a student how has been using the App as of May 4, but the current login and last request are from May 2).
This definitely is not the same as last activity in a course, which is the value available to teachers and admins in the People page of the course. However, I'm not so sure that everything counts as requests.
Current login is the last time that they logged into Canvas (authenticated themselves). Note that this may seem really out of date for people using the app as it may keep them logged in for a long time.
Last login refers to the previous time that they logged into Canvas (authenticated themselves).
I would take all of those with a grain of salt and more of a suggestion than documented evidence of doing something. That same student I showed the stats for above has Page Views two days later, yet they don't qualify as Activity.
Now you might be thinking -- okay, mobile app doesn't count as activity for that login. But surely doing something in a course would.
Here's more of that student's Page Requests
Notice that there's not a 11:45 pm timestamp. It is known that not every request shows up in Page Views, though. Otherwise it would get filled with API requests from the mobile app.
I went into a class that student was in at 11:49 pm on May 2 and looked at the people page. Here's what it shows:
So, what is the last request? My working conjecture at this point is that it represents the last time that the user authenticated, perhaps automatically when a login token was renewed. We use a single-sign-on (SSO) and after a while, Canvas requests to renew / refresh that token. Maybe that counts as last_request_at. Maybe it's an external tool request that required authentication.
The May 2 at 2:37 pm "current login" is localtime (CDT) and that's 17:37 UTC. When I look at the page requests at that time, there is a request to our SSO system. That makes sense, the student went to our login page and logged in at that time.
Now the question is what happened at 11:45 pm? Well, that's 04:45 on May 3 in UTC. Unfortunately, Canvas Data lags behind and the latest information I have available to me at this point is 23:59 UTC on May 2. I will either have to find another student who hasn't been active in 3 days and whose last request time isn't the same as their current login or wait for another day's worth of Canvas Data files to be updated to tell.
What I'm finding is a lot of students who are active in Canvas, just not active in my course. Maybe it's because there's nothing due this week until Wednesday and they're living by the To Do list. Or I'm finding students whose last request is the same as the current login. I may have to just wait for another day's worth of the requests table and hope the information for what the student was doing at 11:45 pm can be found there.
For now I'm going to conjecture that the last_request_at is at least as current as the current_login_at, which should be newer than last_login_at. Then I'm going to go work on getting my final exam ready.
As a disappointing follow-up, I went into the requests table to see what was happening at 11:45 pm on May 2. The student made 2 calls. One was to get the unread_count, which is a call made about every minute that they're logged into the web interface, and the other was to a quiz submission event, which is what happens while taking a quiz and leads to the quiz log.
Neither of those was unique and they both happened other times in the minutes following 11:45. I even considered the case where the time rounded to 11:45 pm, but there were no other calls made that even rounded to that (unless you're rounding to the nearest 5 minutes).
I also considered that the session had changed, but it didn't, either.
It looks like something that is getting filtered from the requests table. Perhaps an OAuth2 renewal request? The student had accessed /login/oauth2/token at 10:43:21 pm. Since tickets are granted for an hour, a refresh for that would have happened after 11:43. There was a ping at 11:43:30 and then the next thing in the log was answering the question at 11:45.
The request to /login/oauth2/token was made by the Faraday user agent. They were Faraday v0.11.0 until April 20 and v0.17.3 from April 25. The requests are not coming from the IP address that the student is using, they're coming from AWS, but not one of the sites in the Canvas Whitelisting document. We've got 349 students hitting that either that login endpoint or the /api/v1/users/xxx/profile endpoint 1051 times between April 8 and May 6. The xxx is for the user making the call.
I did some additional checking on my one student and it before every Faraday call, there was an external tool resource selection API called made to . Some of these were for my course for a regular "file submit" type assignment, so it might be Canvas pulling up a list of files from somewhere.
It was the same external tool across different courses, which meant it was an account-level LTI. When I finally tracked it down, it was the Google Apps LTI. Now, that could certainly be used 1051 times by 349 students. That's probably more likely than that many students having Alexa.
Now that's not to say that the only time that the last_login is updated is when someone does a Google Apps LTI, but that the Google Apps LTI appears to update the last_login. There may be other integrations that do the same thing. Because the requests table is ordered by date and time and requests from other users may come in between the external tool request and the login request, I am taking the list of 349 students and extracting the requests table for those students, then putting them in order, and then using my grep -B1 command. I don't want to sit here with this thread waiting to post until I can get back to that, so I will go ahead and post this and perhaps get back to it later.
Again, that's only for Faraday stuff, not every time the login is called. And because there's no good way to get the last_login out of Canvas and the requests table is delayed multiple days, it's hard to check to see exactly what is going on.
The working hypothesis now is that logging some OAuth2 requests will update the last_login. It is definitely not the last time the student had meaningful activity within Canvas.