The token approach is simple enough so implementing it as a first approach doesn't add a big maintenance burden.
Groups integration
As part of PoC to test the API integration I used groups as the first example.
While Moodle has groups and group sets (called groupings in Moodle) that map 1 to 1 to other LMSes it allows groups that don't belong to any of the group sets, ie they belong directly to the course.
This adds extra complexity compared to other implementations.
To support features like groups, sections, files, pages we rely on an API integration to get access to data that's not exposed through LTI otherwise.
Authentication
Moodle seems to offer connection with oauth2 services where Moodle acts as a client, see: https://docs.moodle.org/403/en/OAuth_2_services. We can't use this.
The API we could use is documented generally here: https://docs.moodle.org/dev/Creating_a_web_service_client
The authentication method suggested there: https://docs.moodle.org/dev/Creating_a_web_service_client#How_to_get_a_user_token
involves fetching a token based on the user's username and password and call:
https://www.yourmoodle.com/login/token.php?username=USERNAME&password=PASSWORD&service=SERVICESHORTNAME
that would involved our own password prompt for the moodle password which seems ill advised from our point.
As an alternative we could use a token created for an user with enough privileges for our use case (ie access to all courses etc): https://docs.moodle.org/403/en/Using_web_services#Create_a_token
I've seen at least one other product that "recomends" this approach https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0061973
My suggestion would be to use this token approach while checking with Moodle if there's any plans to support more traditional oauth2 approaches, see:
https://tracker.moodle.org/browse/MDL-61383 https://tracker.moodle.org/browse/MDL-76831
The token approach is simple enough so implementing it as a first approach doesn't add a big maintenance burden.
Groups integration
As part of PoC to test the API integration I used groups as the first example.
While Moodle has groups and group sets (called groupings in Moodle) that map 1 to 1 to other LMSes it allows groups that don't belong to any of the group sets, ie they belong directly to the course.
This adds extra complexity compared to other implementations.