From 7fb30746be7d4a4d4374cef7b17abce7bb09edf6 Mon Sep 17 00:00:00 2001
From: michaelroytman <mroytman@edx.org>
Date: Mon, 17 Oct 2022 13:08:30 -0400
Subject: [PATCH] fix: LTI 1.3 launch URL should be redirect_uri provided by
Tool in authentication request
This commit fixes a bug in the way we determine where to send the authentication response - the LTI 1.3 launch message - as part of an LTI 1.3 launch.
According to the 1EdTech Security Framework 1.0, during an LTI 1.3 launch, "the authentication response is sent to the redirect_uri." The redirect_uri is a query or form parameter provided by the tool when it directs the browser to make a request to the Platform's authentication endpoint. However, we currently send the authentication response to the preregistered launch URL - lti_1p3_launch_url in the LtiConsumerXBlock or the LtiConfiguration model. The difference is subtle, but it is important, because the specification indicates the Platform should respect the redirect_uri provided by the Tool, assuming it is a valid redirect_uri.
During the pregistration phase, "the Tool must provide one or multiple redirect URIs that are valid end points where the authorization response can be sent. The number of distinct redirect URIs to be supported by a platform is not specified." Currently, we do not support multiple redirect URIs, so the change is not immediately impactful. However, we should follow the specification and ensure that we return the authentication response to the correct URL.
---
lti_consumer/plugin/views.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lti_consumer/plugin/views.py b/lti_consumer/plugin/views.py
index c0b4124..805cd9a 100644
--- a/lti_consumer/plugin/views.py
+++ b/lti_consumer/plugin/views.py
@@ -233,7 +233,7 @@ def launch_gate_endpoint(request, suffix=None): # pylint: disable=unused-argume
preflight_response = request_params.dict()
# Set LTI Launch URL.
- context.update({'launch_url': lti_consumer.launch_url})
+ context.update({'launch_url': preflight_response.get("redirect_uri")})
# Modify LTI Launch URL depending on launch type.
# Deep Linking Launch - Configuration flow launched by
--
GitLab