Registering an LTI Tool

In order to enable an Administrator to install an application in Canvas, a tool can support the automated registration process, built on the Dynamic Registration specification mentioned here. This replaces the manual configuration process previously used to install applications to Canvas.

Overview

The automated registration process allows tools to install themselves into Canvas automatically without requiring an Administrator to manually enter configuration values. Tools provide a Canvas administrator with a pre-determined URL, which the user enters into Canvas. Canvas will direct the user to that URL, where the tool can request Canvas' OpenID configuration and provide the user with an installation UI, where they can choose tool-specific settings. The tool then installs itself using a registration token to access the registration REST JSON service. After installing, the user is returned to Canvas to confirm the installation and enable the tool.

Dynamic Registration Sequence Diagram

Initiation Request

The first part of the registration process is the registration initiation request. When an administrator enters the tool's dynamic registration URL, Canvas redirects the user with a GET request by embedding an iframe pointed to that URL with two parameters added, openid_configuration, and registration_token. The openid_configuration parameter contains the URL that the tool can use to retrieve Canvas' OpenID Configuration, and the registration_token parameter is the token used to access that URL.

At the registration initiation url, the tool should show a UI that guides the user through setting up a registration. This can include deployment-specific options for the tool. The tool can also guard this UI with a login, access code, or some other form of authentication, since the dynamic registration URL is meant to be shared publicly.

Canvas OpenID Configuration

During registration, the tool can request Canvas' OpenID configuration by sending a GET request to the url included in the openid_configuration redirect url. The tool also needs to include the registration_token in the GET request, as the bearer token in the Authorization http header:

curl -v https://canvas.instructure.com/api/lti/security/openid-configuration \
  -H "Accept: application/json" \
  -H "Authorization: Bearer {registration_token}"

Canvas' Open ID configuration contains details about itself that the tool can use to make decisions. It contains claims supported, message types, placements, variables, and information about the account the administrator is installing the tool into.

A example response looks like:

{
  "issuer": "http://canvas.instructure.com",
  "authorization_endpoint": "http://canvas.instructure.com/api/lti/authorize_redirect",
  "registration_endpoint": "http://canvas.instructure.com/api/lti/registrations",
  "jwks_uri": "http://canvas.instructure.com/login/oauth2/jwks",
  "token_endpoint": "http://canvas.instructure.com/login/oauth2/token",
  "token_endpoint_auth_methods_supported": ["private_key_jwt"],
  "token_endpoint_auth_signing_alg_values_supported": ["RS256"],
  "scopes_supported": [
    "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem",
    "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly",
    "https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly",
    "https://purl.imsglobal.org/spec/lti-ags/scope/score",
    "https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly",
    "https://canvas.instructure.com/lti/public_jwk/scope/update",
    "https://canvas.instructure.com/lti/account_lookup/scope/show",
    "https://canvas.instructure.com/lti-ags/progress/scope/show"
  ],
  "response_types_supported": ["id_token"],
  "id_token_signing_alg_values_supported": ["RS256"],
  "claims_supported": [
    "sub",
    // ... more here
    "locale"
  ],
  "subject_types_supported": ["public"],
  "authorization_server": "canvas.instructure.com",
  "https://purl.imsglobal.org/spec/lti-platform-configuration": {
    "product_family_code": "canvas",
    "version": "vCloud",
    "messages_supported": [
      {
        "type": "LtiResourceLinkRequest",
        "placements": [
          "account_navigation",
          // ... more here
          "wiki_page_menu"
        ]
      },
      {
        "type": "LtiDeepLinkingRequest",
        "placements": [
          "assignment_selection",
          // ... more here
          "submission_type_selection"
        ]
      }
    ],
    "variables": [
      "ResourceLink.id",
      // ... more here
      "Canvas.environment.test"
    ],
    "https://canvas.instructure.com/lti/account_name": "Test University",
    "https://canvas.instructure.com/lti/account_lti_guid": "pNu5F9EoIATW6XqZ33C5tiqomb7bFJ4IGWFoCFy6:canvas-lms"
  }
}

Registration Creation

Canvas includes a URL in the OpenID configuration under the registration_endpoint key which can be used by the tool to create a registration. The tool must send a POST request to this endpoint with the tool's LTI Registration in the body and the registration_token as the bearer token in the Authorization http header.

An example request looks like:

curl \
  --header "Content-Type: application/json" \
  --request POST \
  --data '<lti_registration_body>' \
  http://canvas.instructure.com/api/lti/registrations

LTI Registration schema

Name Type Required Description
application_type "web" yes
grant_types ["client_credentials", "implicit"] yes
initiate_login_uri string yes The url that Canvas should use to initiate an LTI launch request
redirect_uris string yes Any urls that the tool can launch to.
response_types "id_token" yes
client_name string yes The name of the tool as it will appear to Administrators maintaining the integration
jwks_uri string yes The url of the tool's JSON Web Key Set
token_endpoint_auth_method "private_key_jwt" yes
scope string yes A space-separated list of scopes the tool requests access to.
https://purl.imsglobal.org/spec/lti-tool-configuration Lti Tool Configuration yes none

LTI Tool Configuration schema

Name Type Required Description
domain string yes The primary domain used by this tool.
secondary_domains Array no Additional domains used by this tool.
target_link_uri string yes The default launch url if not defined in a message
custom_parameters JSON object no Custom parameters to be included in each launch. Values must be a string
description string no A short description of the tool.
messages Array<message> yes Messages supported by the tool.
claims Array yes An array of claims to be included in each launch token.
https://canvas.instructure.com/lti/privacy_level "public" | "name_only" | "email_only" | "anonymous" no The tool's default privacy level, (determines the PII fields the tool is sent.) defaults to "anonymous"
https://canvas.instructure.com/lti/tool_id string no This is a tool-provided value that can be anything, and tools often use it to correlate themselves across deployments. Same as the tool_id field within the extensions array in the LTI 1.3 manual configuration JSON.

LTI Message schema

Name Type Required Description
type "LtiResourceLinkRequest" | "LtiDeepLinkingRequest" yes The message type.
target_link_uri string no The URL to launch to.
label string no The user-facing label to show when launching a tool.
icon_uri string no URL to an icon that will be added to the link (only for applicable placements)
custom_parameters JSON object no Custom parameters to be included in each launch. Values must be a string
placements Array no An array of placements to apply to this launch
https://canvas.instructure.com/lti/course_navigation/default_enabled boolean no Only applies if the placement is "course_navigation". If false, the tool will not appear in the course navigation bar, but can still be re-enabled by admins and teachers. Defaults to 'true'. See the "default" setting as discussed in the Navigation Tools docs.
https://canvas.instructure.com/lti/visibility "admins" | "members" | "public" no Determines what users can see a link to launch this message. The "admins" value indicates users that can manage the link can see it, which for the Global Navigation placement means administrators, but in courses means administrators and instructors. The "members" value indicates that any member of the context the link appears in can see the link, and "public" means visible to all.

example LTI Registration body:

{
  "application_type": "web",
  "client_name": "Lti Tool",
  "client_uri": "http://tool.com",
  "grant_types": ["client_credentials", "implicit"],
  "jwks_uri": "http://tool.com/jwks",
  "initiate_login_uri": "http://tool.com/login",
  "redirect_uris": ["http://tool.com/launch"],
  "response_types": ["id_token"],
  "scope": "https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly",
  "token_endpoint_auth_method": "private_key_jwt",
  "logo_uri": "http://tool.com/icon.svg",
  "https://purl.imsglobal.org/spec/lti-tool-configuration": {
    "claims": [
      "sub",
      "iss",
      "name",
      "given_name",
      "family_name",
      "nickname",
      "picture",
      "email",
      "locale"
    ],
    "custom_parameters": {},
    "domain": "tool.com",
    "messages": [
      {
        "type": "LtiResourceLinkRequest",
        "icon_uri": "http://tool.com/icon.svg",
        "label": "Lti Tool",
        "custom_parameters": {
          "foo": "bar",
          "context_id": "$Context.id"
        },
        "placements": ["course_navigation"],
        "roles": [],
        "target_link_uri": "http://tool.com/launch?placement=course_navigation"
      }
    ],
    "target_link_uri": "http://tool.com/launch",
    "https://canvas.instructure.com/lti/tool_id": "toolid-123",
    "https://canvas.instructure.com/lti/privacy_level": "public"
  }
}

Registration Response

Upon successful creation, the registration endpoint will respond with the created registration, along with an additional field, client_id:

{
  "application_type": "web",
  "client_name": "Lti Tool",
  ...
  "client_id": "10000000000001"
}

The tool will use this client_id when requesting tokens and accessing LTI Services.

Returning the Administrator to Canvas

After the registration is created successfully, the tool should return the user to Canvas by sending a post message to the parent Canvas window:

window.parent.postMessage({subject: 'org.imsglobal.lti.close'}, '*')

Canvas will listen for this message and close the iframe, presenting the user with a summary of the registration the tool returned. The administrator will then be able to make some modifications to the registration. It's important to note that these modifications may alter how the tool is finally configured and launched. For example, the tool may request a certain number of scopes, but the administrator could restrict access to certain scopes. The tool should detect this and warn the user if modifications need to be made to the configuration.