NextJS example of an LTI 1.3 tool with several placements set up for Canvas.
Secrets are for a dev environment and are obviously not secret.
See LTI OpenID Connect Launch Flow and LTI Launch Details.
Handled here in src/pages/api/lti.js.
- LMS makes a LTI resource link launch request
- unsecured
- Tool redirects with an authentication request
- LMS may then go through its own auth flow
- LMS makes an authentication callback
- includes signed jwt to be verified by tool
- Tool redirects to the requested resource
As the tool redirects to the resource, it can store the LTI claims, using those to authenticate against the tool and personalize/contextualize the resource.
In this case, one of the LTI claims will be deep_link_return_url. When the user has used the tool to choose a resource, the tool should post the content as an ltiResourceLink to the return URL (via a signed JWT parameter)
When the user visits a deeply linked assignment, an AGS claim for lineitem will be present, that can then be used to make API requests. Requests are encrypted using the tool's published JWK keyset.
For example, Canvas allows a submission to be attached to an assignment via its score service. If the submission is attached with type basic_lti_launch and a URL, Canvas will display the URL (via an LtiResourceLinkRequest, as above) in its grading and submission pages.