Community Help

blended-hari · ‎05-29-2023

Hello!

I'm currently developing an LTI tool for Canvas (1.3/Advantage).

I've followed this documentation, and got a basic version working for Resource Links:

A user clicks on the resource link from Canvas.
Canvas calls the /login endpoint on my LTI tool, which sends back an auth request.
Canvas calls the /launch endpoint on my LTI tool, with an id token for the user.
My LTI tool then verifies the token is valid and displays the link.

(I've also got deep linking working using this system.)

However, my main web app currently uses Auth0 for authentication. And so, as things stand, once a user is redirected to my app, they would then have to create an account or login separately, in order to access everything. I then manually connect their Canvas user ID with their Auth0 user ID for e.g. grade syncing.

Obviously, this is less than ideal.

Instead, I would love Auth0 to 'recognise' the user from Canvas – so that users did not have to create a separate account, but could still access the full functionality as if they had registered on my app independently of Canvas (i.e. they log in just once into Canvas, and can then access everything as normal).

Unfortunately, I'm relatively inexperienced with auth, so I'm not sure which docs to search for – or whether this is even possible with Canvas 😅 Would anyone be able to point me in the right direction?

Thanks in advance!

Best wishes,
Hari.

sendres · ‎06-09-2023

Hi @blended-hari,

Picture a building with two doors. Each door is keyed differently, but they both secure the same premises. In a similar way, Auth0 and LTI are two different ways to provision and log in to your app.

I too am relatively new to developing LTI applications but am experienced in administering them. It sounds like you're redirecting your LTI users to Auth0. Instead, you want to refactor your main app code so that Auth0 and LTI are both "separate but equal" identity providers within your app.

I assume you have a mechanism in your app by which a new user can create an account and get in through Auth0. That code probably is in some "create a user via Auth0" and/or "login via Auth0" modules somewhere. What you'd do is create another version of that code that instead accepts the user's information that's passed over via the LTI launch.

In a perfect world, launching the LTI should:

use the LTI launch data to associate the Canvas user with their current app user account, if one exists,
use the LTI launch data to create a new app user account for the Canvas user if they haven't used your app before, and then
use the LTI launch data to log the user into your app in a manner equivalent to if they had logged in with Auth0.

In other words, Auth0 and LTI are parallel to each other, not one in front of the other. LTI should not send the user to Auth0, but rather bypass Auth0.

Does that help?

Developing an LTI tool with Auth0

auth0

LTI

Marking planner items complete then incomplete the...

Toggling planner items complete, then incomplete, ...

Gray screen for Microsoft OneDrive LTI - Local hos...

Microsoft OneDrive LTI

Common Cartridge Import - Link Matching Logic

Python GUI app to update assignment due dates

Marking planner items complete then incomplete the...

Toggling planner items complete, then incomplete, ...

Identifying duplicate users for merge

Retrieve Data On Rubric Criteria And Completion

You're signed out

Developing an LTI tool with Auth0

Community Help

View our top guides and resources: