Best practice for LTI 1.3 access tokens

Forum:

Learning Tools Interoperability Public Forum

Best practice for LTI 1.3 access tokens

Submitted by svickers on Mon, 20-Jun-2022 09:58.

I have noticed that both the 1EdTech reference implementation and at least one certified platform ignore the scope for which an access token was issued and allow it to be used for any supported service request. For example, an access token granted with a scope of https://purl.imsglobal.org/spec/lti-ags/scope/lineitem can be used to make requests to one of the Names and Role Provisioning services. Is this considered to be good or recommended practice? I had expected an access token to only be usable for service requests with the scopes for which it was issued. Thanks.

The names 1EdTech^® and IMS Global Learning Consortium^®, the 1EdTech logos, Better Learning From Better Learning Technology^®, TrustEd Apps™, 1EdTech TrustEd Apps™, Learning Tools Interoperability^®, LTI^®, IMS LTI^®, IMS Learning Tools Interoperability^®, OneRoster^®, Caliper Analytics^®, Question & Test Interoperability (QTI)^®, QTI^®, Common Cartridge^®, Competencies and Academic Standards Exchange^®, CASE^®, Competencies and Academic Standards Exchange (CASE)^®, Accessible Portable Item Protocol (APIP)^®, AccessForAll^®, Badge Connect^®, Comprehensive Learner Record Standard™, and CLR Standard™ are trademarks of 1EdTech Consortium, Inc. in the United States and/or other countries. All other trademarks and registered trademarks are the properties of their respective owners.

For information on the 1EdTech trademark usage policy, see our trademark policy page.