I am building an LTI app and have some questions about ContentItemSelection in the context of a launch in Canvas.
I am developing against Canvas running all the Canvas services in Docker containers via docker-compose of off branch "stable". I have successfully been able to do a basic, authenticated, LTI Launch Request against the Tool Provider I'm developing.
I now want to extend this so as to be able to let educators choose their content and create an LTI launch link dynamically, via ContentItemSelection.
I am using the instructure/ims-lti Ruby library, running in a Rack application, in order to authenticate signed messages. This is working fine.
I have now configured my external tool through Canvas via an XML doc, from the canvas website, here, for a placement in Assignments - https://canvas.instructure.com/doc/api/file.content_item.html
Now that I have my tool configured in canvas I see the request coming into my TP as a "ContentItemSelectionRequest" with a "content_item_return_url" parameter. This is good, and what I expect.
At this point, when the request is received server side, I am turning around and, for testing purposes, POSTing to the "content_item_return_url", server-side ( not in the browser via AJAX ) with a payload that I am building using the ims/lti repo, using an instance of IMS::LTI::Models::Messages::ContentItemSelection that has one ContentItem that is an instance of IMS::LTI::Models::ContentItems::LtiLinkItem. When serialized the payload matches that described in in the aforementioned canvas api docs (see link above).
From here it is unclear what is supposed to happen.
The response from my unsigned POST from the TP to Canvas at the "content_item_return_url" is, on inspection, what seems to be a rendering of the Canvas LMS login page. I'm assuming that means I'm unauthenticated and am being directed to log in. However, the "accept_unsigned" param is true in the original request to the TP. Also, I am including the "data" param, which looks to be a JWT token, as described in the IMS docs:
An opaque value which should be returned by the TP in its response.
So, what does a proper response to the POST to "content_item_return_url" look like?
Next, from the IMS docs it says
A user should always be redirected back to the TC using an auto-submitted form as an HTTP POST request; this return message may, or may not, be signed.
This is confusing; how is one supposed to be returned to the TC via a POST? Is there supposed to be a redirect to the "content_item_return_url" after the POST to the "content_item_return_url"? Does canvas automagically know to send you back once an AJAX call has been made to the "content_item_return_url" in the browser? (Remember I am POSTing here server side).
So currently, after I make the POST with the content-items (which seems unsuccessful ), I am doing an explicit redirect back to the "content_item_return_url" ( which is the only "*_return_url" param I have available ). I get a spinner in the external tool modal in Canvas, however, no data is populated in the LTI link space and I get an error, of which I have attached an image.
Could you please elaborate on the ContentItemSelection flow and it's implementation in Canvas, the expected response to the POST from the TP to the TC for a ContentItemSelectionRequest, and the redirection the is supposed to happen?