What id/info to use to uniquely identify a canvas instance?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
What information should I use to uniquely identify a canvas instance during an LTI launch? I need to be a 100% sure that the id token received is for a user in a particular school previously registered in my app.
From what I have seen so far, the iss in the id_token is always the same (canvas.instructure.com, with env-specific variations), which makes it unusable for this end, particularly when self-hosted instances can also have that same iss. For instructure-hosted instances, the only other information I could use is the client_id, but is that unique across all instances? Is that the recommended way to go? Is there any other information I could use?
The jwks token validation url is also the same for all instructure-hosted instances. So, also not a good option to ensure uniqueness of instance.
Thanks