Building an LTI™ App
If you want to build an LTI-compliant app or
provider then there's really only a couple things you need to worry about: how users can configure your app, how to accept a launch from a
consumer, and potentially handling some of the extra goodies LTI makes possible.
App configuration is different for every LMS right now, but we're working on that. The best way to provide a standard configuration for your app is by providing a url that returns an xml configuration for your app. There is many examples of app configurations in the Canvas API documentation. Remember, if there's custom values you want to make sure come across with every user, this is the place to include them. The only really crucial piece to specify is the url endpoint that will accept the POST requests,
Typically users will either copy the url to your xml configuration, or copy and paste the configuration itself. Notice that the configuration does not include the consumer key or shared secret. These are account-specific values, and if they were included they would prevent the xml from being reusable. Users will still have to enter the key and secret values that a
provider gives them into the
Once an app is configured, it will be added by one or more instructors into their material as some sort of link or button in the
consumer. Any time a student, instructor, administrator, or random internet passersby clicks the link they will be directed to the
provider via a signed POST request. It is the
provider's responsibility to confirm the signature on the POST request. If the signature is invalid, then none of the information should be trusted.
If the signature is valid then you should accept the identity assertion provided by the
consumer and log the user in to your service. Many services have their own registration flow, so it's not uncommon to require an additional registration step the first time a user launches your app.
Signatures are generated using the OAuth signing process. There are several online tools that you can use to test your signing code, although you'll probably save yourself some trouble if you can find a library to do the work for you.
This page has described the most basic type of LTI integration. There's a number of other things you can do on top of this, including passing scores from the
provider back to the gradebook of the consumer, or adding buttons to the rich content editor in the
consumer to insert rich content generated or curated by the
provider. Check out the Canvas API documentation on external tools for more detail on these extensions and how they work.