I've been barking up multiple trees trying to make sense of this.

I am setting up an LTI 1.3 tool - and while an `id_token` during launch COULD contain the user `email` (and thus give our tool a way to ID an internal user that matches) - I know a school/district using Canvas may prefer to not include this PII in the JWT. And as such I'm trying to sort out different ways to get the user information (with a Canvas admin's full permission):

1. get manual access token from admin's account to call API to get info - violates policy (https://canvas.instructure.com/doc/api/file.oauth.html#manual-token-generation)

2. advise Canvas admin to create a "limited admin" account with constrained permissions for our Tool to generate its own access token - could this violate the same policy? I can't tell

3. do the OAuth2 in-browser flow with auth code / access token dance to get "/self/user_profile" which contains the email address; requires the individual user, e.g. a student, to "authorize" this

    - asking student's authorization feels clunky UX-wise, and also I have to imagine could be confusing to a student who is not in the business of determining what data to share between Canvas and the LTI tool

    - maybe violates another policy? (having a student authorize access to the LTI tool)

4. match on provided SIS user id in LTI variable substitutions - is this possibly the only way through without violating a policy?

Any clarification folks have here on what's on the up-and-up, what's ideal in the UX, and if there's another way through I am missing?

Best,

.dig