fix: LTI 1.3 launch URL should be redirect_uri provided by Tool in authentication request

This commit fixes a bug in the way we determine where to send the authentication response - the LTI 1.3 launch message - as part of an LTI 1.3 launch.

According to the 1EdTech Security Framework 1.0, during an LTI 1.3 launch, "the authentication response is sent to the redirect_uri." The redirect_uri is a query or form parameter provided by the tool when it directs the browser to make a request to the Platform's authentication endpoint. However, we currently send the authentication response to the preregistered launch URL - lti_1p3_launch_url in the LtiConsumerXBlock or the LtiConfiguration model. The difference is subtle, but it is important, because the specification indicates the Platform should respect the redirect_uri provided by the Tool, assuming it is a valid redirect_uri.

During the pregistration phase, "the Tool must provide one or multiple redirect URIs that are valid end points where the authorization response can be sent. The number of distinct redirect URIs to be supported by a platform is not specified." Currently, we do not support multiple redirect URIs, so the change is not immediately impactful. However, we should follow the specification and ensure that we return the authentication response to the correct URL.

lti_consumer/plugin/views.py

@@ -233,7 +233,7 @@ def launch_gate_endpoint(request, suffix=None):  # pylint: disable=unused-argume
         preflight_response = request_params.dict()
 
         # Set LTI Launch URL.
-        context.update({'launch_url': lti_consumer.launch_url})
+        context.update({'launch_url': preflight_response.get("redirect_uri")})
 
         # Modify LTI Launch URL depending on launch type.
         # Deep Linking Launch - Configuration flow launched by