LTI Auth Tokens vs Developer Keys?


My organization wants to migrate all LTIs currently using Auth Tokens to Developer Keys instead.
Does Brightspace support that?

All of the Brightspace Developer Key documentation I've found talks about Canvas?


Best Answer

  • Viktor.H.147
    Viktor.H.147 Posts: 41
    Answer ✓

    For security reasons Brightspace does not currently support LTI 1.3 integrations via Developer Keys (principally so we can control and encourage regular rotation of keys and secrets). LTI Advantage (1.3) based integrations use the standard OAuth2 client registration process based on the Tool hosting a JWKS key set, and gaining access to LTI Services via access token requests by identifying themselves with a signed JWT as in the LTI 1.3 core specification and 1EdTech Security Framework Specification; we do not support any other method of LTI Tool authentication at this time.

    Legacy LTI (1.1.x) based integrations use the standard Consumer Key/Secret pattern identified in the LTI 1.1.x specifications. However, we do not recommend that Tools make use of the legacy LTI standards unless they already have such integrations in production. All new LTI work should use LTI 1.3's security model instead.