Tool file:

• establish secret (one of the following)
  • array(table,key_column,oauth_consumer_key,secret_column,context_column)
  • plain text secret
  • include master dance file

master dance file:

• grab token values from session if present
• grab domain from LTI POST var [‘custom_domain_url’]
• store domain in cookie in case we have to redirect
• include modified blti.php, canvasapi.php,dbaccess.php
• $context = new BLTI()
• if $context->valid (secret accepted, token retrieval attempted, db table stored in cookie, in case token is invalid)
  • $api = new CanvasAPI(token,domain)
  • if token invalid redirect to /login/oauth2/auth?redirect=get_token_domain.php
    • at this point, we have lost all our php vars, since we redirect
    • request admin  authorization
    • if granted, we land in get_token_domain
      • retrieve cookies, include dbaccess, update token in db, dance over
• else dance over