Qwickly creates various LTI tools which can be used in Canvas. These LTI tools use Canvas' REST APIs to request data on users or courses. In order to get this data, Qwickly needs a valid API token on hand for the logged-in user in order to make valid requests.
Whenever Qwickly needs a fresh API token, Qwickly will redirect the requested user to Canvas' authentication systems. The provided screenshot illustrates the prompt that is produced by Canvas to a user who is using a Qwickly LTI tool. When the user clicks on "Authorize", then Canvas will provide an API token to Qwickly on behalf of the user.
Thus, if a user is repeatedly seeing this authorization screen, it would be because the API token for that session either didn't exist, or got invalidated. There are a couple of possibilities for this occurrence:
- If a logged-on user in Canvas masquerades as another user in the system and opens a Qwickly LTI tool. When masquerading as another user, Canvas will automatically log your current user account out and log the selected user account in seamlessly. However, Qwickly is an external tool and will not have detected the user change until one of Qwickly's LTI tools is opened. That would prompt an authorization message for the new user account
- If a user logs into their Canvas system after a few days of inactivity, then the API token saved from the previous session will have likely expired. This also causes Qwickly to try to fetch a new token, causing Canvas to ask the user to reauthorize our tool.