Tim and John, thanks for the helpful replies.
We use Spring Security framework to implement authentication. In our use cases so far we haven't needed the OIDC implicit flow, and it looks like Spring6 has removed support for it.
We use Spring Security framework to implement authentication. In our use cases so far we haven't needed the OIDC implicit flow, and it looks like Spring6 has removed support for it.
It seems like supplying a bearer token in the Authorization header of the tool launch request would be the cleanest way to do this, but the LTI specs don't mention this (that I've found).