by John Doyle.
Building on Tim's tips:
- Yes, Moodle follows the auth flow in the spec you referenced
- Yes, the user is typically already authenticated/logged-in on the Moodle/platform side when using an LTI tool (external tool) and it isn't common for the user to manually login to the tool separately as part of the LTI 1.3/OIDC flow
- The tool still controls what's required after successful LTI auth in order to interact with the requested tool resources/content/etc.
- Example: the LTI resource request sent after the LTI auth will include user data. This data can be used to create a user account on the tool side, lookup/find an existing user, assign the right role/capabilities to a user, etc. But perhaps something else is required, like tool-specific profile info or a tool-specific code to access a resource, before the resource can be served. The tool would handle these situations with direct user interaction.
- Even with the public standard/specs, tool can't assume every standard LTI 1.3 request or situation will be handled perfectly by every platform, even when intent is there. Sometimes there's a tool issue, sometimes a platform issue.
- Suggestion: Test the tool on multiple platforms before a prod launch - or at least test it on the platform(s) your customers/prospects will be using most frequently - Moodle, Canvas cloud or community, D2l/Brightspace, Schoology, Blackboard,etc.
- Any mention above of platform = LTI tool consumer, but not oAuth/OIDC consumer. LTI 1.1 uses tool consumer, 1.3 uses platform to avoid conflict with the oAuth/OIDC consumer - more info here
Hope it goes well!