Regarding #4 - we could match accounts based upon user_sis_id (which we have from rostering) if we configure our tool to use LTI Variable Substitutions (https://canvas.instructure.com/doc/api/file.too...

Yes - the best solution would certainly be the customer sending us `email` in the `id_token` - which we will be strongly encouraging and asking for. BUT I am also aware of a security concern in doing ...

I've been barking up multiple trees trying to make sense of this. I am setting up an LTI 1.3 tool - and while an `id_token` during launch COULD contain the user `email` (and thus give our tool a way t...

After pondering this a while and tooling around, I've found a work around for the cases where I would need to hit the Canvas OAuth2 API as an LTI tool server-to-server call (NOT using the standard in-...

 The scope you need in your auth code request is something like "url:GET|/api/v1/users/:user_id/profile" (getting the user's profile gets most "userinfo" you would need). This is assuming the SAME sco...

Regarding #4 - we could match accounts based upon user_sis_id (which we have from rostering) if we configure our tool to use LTI Variable Substitutions (https://canvas.instructure.com/doc/api/file.too...

Yes - the best solution would certainly be the customer sending us `email` in the `id_token` - which we will be strongly encouraging and asking for. BUT I am also aware of a security concern in doing ...

I've been barking up multiple trees trying to make sense of this. I am setting up an LTI 1.3 tool - and while an `id_token` during launch COULD contain the user `email` (and thus give our tool a way t...

After pondering this a while and tooling around, I've found a work around for the cases where I would need to hit the Canvas OAuth2 API as an LTI tool server-to-server call (NOT using the standard in-...

 The scope you need in your auth code request is something like "url:GET|/api/v1/users/:user_id/profile" (getting the user's profile gets most "userinfo" you would need). This is assuming the SAME sco...