...
LTI provides us with a UI workflow where a user’s browser can be instructed to make a “launch request” to some third party “tool”. This launch includes a "message" containing information, or “claims”, about the user, where in the LMS the launch is occurring (the course, the unit, etc), and information about where in the tool we need to launch to. Finally, the content of this launch message needs to be trusted since LTI is primarily a UI workflow and there is no secure server to server communication in the core specification.*
In sum, a user can click a link in the LMS to some outside application they have never interacted with and that application would know who they are and what experience to show them without any SSO or account linking processes.
The two widely adopted versions of LTI are 1.1 and 1.3. LTI 1.1 is built on top of OAuth 1.0 and a shared secret for signing messages making it much simpler but also less secure. LTI 1.3 extends the approach for handling launch information but with an entirely new security framework based on OAuth 2.0. This adds some extra steps to the launch workflow. Outside the core specification LTI 1.3 has many optional features that are not entirely covered within this document.
*backend APIs are introduced is part of the Advantage specification
Important Message Claims
There are dozens of claims that may be sent along in an LTI launch message. Many of these are optional or have very specific use cases. To make sense of how the basic launch works we only need to understand a few.
...