We built an LTI which in turn uses OAuth to get the currently logged in user's info. We use this user's OAuth access and refresh tokens to pull info about the user from the /api/v1/users/self/profile endpoint. Our clients are requesting us to also pull the user's SIS ID (user_sis_id) so they can link and import data created in our system back into their Student Information System.
However, due to default permission settings, the student role typically doesn't have access to the user_sis_id field.
What is the best practice for consistently getting a user's SIS ID?
Should we have the client's Canvas admin to create a new Developer Key and then we use that Key via OAuth in some admin page on our system to authenticate the admin (or an elevated user account) that has permissions to view to every user's SIS Data? Would we then use the generated access and refresh token from this admin account to pull the SIS ID whenever a student logs in? Seems like with this flow, we wouldn't even need to show an OAuth redirect message to the student when they access our LTI.
Any help appreciated!