I have configured developer key with the following details
OIDC Initiation Login URL - https://<<mydomainname>>/oidc/login_uri
Target Link URI - https://<<mydomainname>>/oidc/target_uri
Redirect URI - https://<<mydomainname>>/oidc/redirect_uri
Once developer key is added with privacy set to public and all the permission enabled for LTI advantage services, I get the client id and client secret.
I have added the external tools as part of Apps in one of my courses using clientID.
After the app is added, I have created an Assignment and selected the external tool added and save & publish my assignment.
Now, from the listing page, I click on the assignment and my external tool is launched. Canvas, by default, trigger the OIDC Initiation Login URL (https://<<mydomainname>>/oidc/login_uri) as included in the developer key.
Canvas sends response as iss, login_hint, lti_message_hint, client_id and canvas_region.
Now, from my tool, I trigger the canvas authorization end point as follows:
https://canvas-dev.airislabs.com/api/lti/authorize_redirect - GET method
client_id=10000000000009 (as sent in OIDC initiation login URL response)
lti_message_hint=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ2ZXJpZmllciI6ImM1MmM5NzUwZDM3ZWRjNjhjMWEyZDk4YzAxODgwMDZhZGE3ZDhmM2I0NDJlNjIwNzllOTgxN2EyYTJmY2YyN2NlZjBlYzg2Yzg5YWQ2M2QzNTM3YjFkMWVjZWJiMDkxZWU3Njc3ZjU4NzYxZGI1OWZlMWY5Mjg1Nzc1OGJkNDE0IiwiY2FudmFzX2RvbWFpbiI6ImNhbnZhcy1kZXYuYWlyaXNsYWJzLmNvbSIsImNvbnRleHRfdHlwZSI6IkNvdXJzZSIsImNvbnRleHRfaWQiOjEwMDAwMDAwMDAwMDA1LCJleHAiOjE2MTE2NTk0NTh9.WGuiME-jgUJxykgO8fZaiwHCIXk_52rTpQJhh0Re27Q (as sent in OIDC initiation login URL response)
login_hint=30bf7735e8f161fd63a329e7fd02e905a3b3706f (as sent in OIDC initiation login URL response)
prompt=none (as specified in IMS documentation)
scope=openid (as specified in IMS documentation)
response_mode=form_post (as specified in IMS documentation)
response_type=id_token (as specified in IMS documentation)
state=d7763c4f-4fa1-4225-bbd1-3e601c55ad2b (generated by the tool using nodejs uuid package)
nonce=KcBG6xmF2Cpw2B3 (generated by the tool using nodejs nonce-generator package)
redirect_uri=https://<<mydomainname>>/oidc/redirect_uri (as specified in developer key configuration)
Response of this URL is as follows: (login_required error)
<!DOCTYPE html>
<html class="scripts-not-loaded" dir="ltr" lang="en">
<head>
<meta charset="utf-8">
rel="stylesheet">
<link href="/fonts/lato/lato-extended.css" rel="stylesheet">
<script>
if (navigator.userAgent.match(/(MSIE|Trident\/)/)) location.replace('/ie-is-not-supported.html')
</script>
<link rel="shortcut icon" type="image/x-icon" href="/dist/images/favicon-e10d657a73.ico" />
<link rel="apple-touch-icon" href="/dist/images/apple-touch-icon-585e5d997d.png" />
<link rel="stylesheet" media="all"
href="/dist/brandable_css/default/variables-8391c84da435c9cfceea2b2b3317ff66.css" />
<link rel="stylesheet" media="all"
href="/dist/brandable_css/new_styles_normal_contrast/bundles/common-de377105d3.css" />
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#008EE2">
<script>
function _earlyClick(e){
var c = e.target
while (c && c.ownerDocument) {
if (c.getAttribute('href') == '#' || c.getAttribute('data-method')) {
e.preventDefault()
(_earlyClick.clicks = _earlyClick.clicks || []).push(c)
break
}
c = c.parentNode
}
}
document.addEventListener('click', _earlyClick)
</script>
<script>
INST = {"environment":"production","disableCrocodocPreviews":true,"logPageViews":true,"maxVisibleEditorButtons":3,"editorButtons":[]};
ENV = {};
</script>
<link rel="preload" href="/dist/brandable_css/default/variables-8391c84da435c9cfceea2b2b3317ff66.js" as="script"
type="text/javascript">
<link rel="preload" href="/dist/webpack-production/main-e-fa4ef1e452.js" as="script" type="text/javascript">
<script>
//<![CDATA[
;["/dist/brandable_css/default/variables-8391c84da435c9cfceea2b2b3317ff66.js", "/dist/webpack-production/main-e-fa4ef1e452.js"].forEach(function(src) {
var s = document.createElement('script')
s.src = src
s.async = false
document.head.appendChild(s)
});
//]]>
</script>
<script>
//<![CDATA[
(window.bundles || (window.bundles = [])).push('navigation_header');
//]]>
</script>
<title>Canvas LMS</title>
</head>
<form id="authorization_redirect_form"
method="post"><input name="utf8" type="hidden" value="✓" /><input type="hidden" name="authenticity_token" value="Fr/XWMDTAwt4uGP65ECaQB2um0y+kXnLzAYAUAFKVaZ7i/hrgZ9tYQ/pJoPPJM4DJMLNL+nwSqyhVTgYVnIBjQ==" />
<input type="hidden" name="error" id="error" value="login_required" />
<input type="hidden" name="error_description" id="error_description" value="Must have an active user session" />
<input type="hidden" name="state" id="state" value="a1cb70bd-5aa3-413c-9af2-13c6fbcace76" />
</form>
<script type="text/javascript">
document.getElementById('authorization_redirect_form').submit();
</script>