Best practice for LTI 1.3 access tokens
Best practice for LTI 1.3 access tokens
I have noticed that both the 1EdTech reference implementation and at least one certified platform ignore the scope for which an access token was issued and allow it to be used for any supported service request. For example, an access token granted with a scope of https://purl.imsglobal.org/spec/lti-ags/scope/lineitem can be used to make requests to one of the Names and Role Provisioning services. Is this considered to be good or recommended practice? I had expected an access token to only be usable for service requests with the scopes for which it was issued. Thanks.