Insufficient scope to call API.Required: ltiv1p3:ags:readlineitem
Hello,
I'm trying to manage grades in BrightSpace using a LTI Advantage 1.3 tool connecting to our in house software. I had success registering the app, deploying it, login, accessing course and user info using this as a base :
Now I want to access AGS (Assignment and Grade Services).
I used this resource to do build my tool :
The ID token returns this :
'https://purl.imsglobal.org/spec/lti-ags/claim/endpoint': {
scope: [
'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem',
'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly',
'https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly',
'https://purl.imsglobal.org/spec/lti-ags/scope/score'
],
lineitems: 'https://DOMAIN.brightspace.com/d2l/api/lti/ags/2.0/deployment/UUID/orgunit/266002/lineitems'
},
So, I try accessing 'https://DOMAIN.brightspace.com/d2l/api/lti/ags/2.0/deployment/UUID/orgunit/266002/lineitems' using the ID token information, but it returns a 403 Error : "{ Errors: [ {Message: "Insufficient scope to call API.Required: ltiv1p3:ags:readlineitem"} ] }"
I tried setting up the Oauth scopes using the procedure explained in https://community.d2l.com/brightspace/discussion/2124/adding-course-content-through-api-calls, but it doesn't seem to work for LTI as well as with the API. I can't add "ltiv1p3:ags:readlineitem" to the scope: it won't save the config. I can add scopes defined here ( ), but it doesn't fix my issue.
Also, I can't find the "Can be graded in Grades" in the "Roles and Permissions", as mentioned in the doc above.
What needs to be done to manage grades using a LTI 1.3 tool ?
Best regards,
Stéphane
PS : some resources I consulted, among others :
- https://community.d2l.com/brightspace/discussion/6060/problem-with-third-party-integration-lti-advantage-and-oauth-2-0-authentication
- https://community.auth0.com/t/insufficient-scope-but-my-token-contains-required-permissions/33710
- https://www.imsglobal.org/spec/lti/v1p3
Answers
-
Hi Stephane,
Thank you for reaching out to us through Community!
The scopes that you mentioned were already right and should be working.
Since you still receive the error, we recommend that you please open a support ticket with us, including the details of how the scopes were defined in your app and screenshots or a video recording of the issue if available.
This helps us to investigate the issue further and help answer your query.
Thanks
Sreelakshmi
-
Hi Sreelakshmi,
Thanks for getting back to me. I would be happy to provide you with all details required to fix the issue. To this end, I need more information though.
Which "scopes already right which should be working" are you referring to exactly ? Are they the Oauth 2 ones or the LTI ones (extensions) ? The current Oauth2 scopes I currently defined in "Cog > Manage extensibility > Oauth 2.0 > My App" are :
- content:module:read
- enrollment:orgunit:read
- groups:group:read
- organizations:organization:read
- orgunits:course:read
- sections:section:read
- users:userdata:read
When I try to add "ltiv1p3:ags:readlineitem" it says that an error occurred.
Best regards,
Stéphane
-
Hi Stephane,
Thanks for updating the community thread!!
Sreelakshmi had earlier referred to the scope of LTI. The error you're encountering "Insufficient scope to call API. Required: ltiv1p3:ags:readlineitem" occurs when the tool is attempting to use AGS (Assignment and Grade Services) but does not have the proper authorization.
This typically happens if:
- The tool doesn't have AGS enabled, so the authorization service didn’t grant the required scope, or
- The tool didn’t request the scope correctly during the authentication process.
We might need to review our logs to determine if this issue stems from our side, based on the timeline you provide.
As Sree mentioned, could you please raise a support case with all these details? That will help us track it properly and investigate further.
Please feel free to reach out if you have any additional concerns.
Thanks,
Sangeetha
