doc/lti/03_lti_launches.md
An LTI launch is the act of loading an LTI tool (See LTI Overview). LTI launches serve as the primary form of user authentication for the LTI tool.
LTI launches for LTI 1.1 and LTI 2.0 are very similar. Launches for LTI 1.3, however, are more distinct. The following is a description of LTI launches for each LTI version (See "Intro to Spec Versions" in the LTI overview).
Canvas has five primary entry points for initiating LTI 1.1 launches:
/app/controllers/users_controller.rb#external_tool)app/controllers/application_controller.rb#content_tag_redirect)show action (app/controllers/external_tools_controller.rb#show)retrieve action (app/controllers/external_tools_controller.rb#retrieve)sessionless_launch action (app/controllers/external_tools_controller.rb#sessionless_launch)Each launch path is defined in greater detail in the LTI 1.1 Launches document.
When making sweeping changes to LTI 1.1 launches in Canvas, these are the primary points that should be tested.
Canvas has three primary entry points for initiating LTI 2.0 launches:
resource action (app/controllers/lti/message_controller.rb#resource)basic_lti_launch_request action (app/controllers/lti/message_controller.rb#basic_lti_launch_request)reregistration action (app/controllers/lti/message_controller.rb#reregistration)Each launch path is defined in greater detail in the LTI 2.0 Launches document
If, for some reason, you need to make sweeping changes to LTI 2.0 launches, these three entry points should be tested.
Canvas has five primary entry points for initiating LTI 1.3 launches:
/app/controllers/users_controller.rb#external_tool)app/controllers/application_controller.rb#content_tag_redirect)show action (app/controllers/external_tools_controller.rb#show)retrieve action (app/controllers/external_tools_controller.rb#retrieve)sessionless_launch action (app/controllers/external_tools_controller.rb#sessionless_launch)Each launch path is defined in greater detail in the LTI 1.3 Launches document.
Note that these are the exact same entry points for LTI 1.1. LTI 1.3 piggy-backs on the LTI 1.1 implementation (See LTI Overview).
When making sweeping changes to LTI 1.1 launches in Canvas, these are the primary points that should be tested.
No matter the version of LTI, most launches are accomplished using the venerable <iframe> element, helping maintain
the core LTI concept of embedding tool content seamlessly within a platform. LTI iframes are defined at a few different
points within Canvas, though most launches trace back to a base erb template, located in app/views/lti/_lti_message.html.erb.
Other LTI iframes definition points, mostly in Javascript for on-the-fly launches, can be found by searching for
data-lti-launch, an attribute that is set on all LTI launch iframes.
It's possible to limit or allow certain features within an iframe, delineated by the Feature Policy
browser API. From time to time, it may be necessary to explicitly allow new features in LTI iframes. Feature policies
are added to the allow attribute of the iframe element, and follow the form of <feature name> <origin allowlist>.
Since most features default to an origin allowlist of self, meaning only the origin of the parent window, these
features aren't allowed by default during an LTI launch where the origin is almost certainly different than Canvas.
This means that desired features for LTI tools must be allowed explicitly and with *, the wildcard origin.
A list of allowed features is kept in the Lti::Launch model (app/models/lti/launch.rb), and that list is propagated
to the frontend via an environment variable. Any iframes defined and launched from the frontend should reference
that environment variable.
Adding a new feature is often requested by other teams, and should be confirmed with the LTI product manager, but otherwise is a valid and easy addition. This commit is a good example of adding one new feature to the iframe allow policy.