I am using Google Chrome > 91. When I set up Canvas as an LTI 1.3 platform and try to launch LTI tools inside an IFrame, the LTI launch fails with
error: login_required and
error_description: Must have an active user session. The error is a response to
authorize_redirect/calls, part of the LTI 1.3. OIDC authentication flow. I am using Assignments with External Tools.
It is noticeable that
log_session_id, the cookie used by Canvas for session management, is blocked during the LTI 1.3. OIDC authentication flow on the request to the authorization endpoint
/api/lti/authorize_redirect. This behavior happens since Chrome > 91 started enforcing the new SameSite policies. That policy is blocking cross-site cookies without
Secure set, and redirects within IFrames are considered cross-site.
Is this known to anyone else? And, if yes, is there any workaround in Canvas? For example, setting session cookies to use
SameSite=Nonecookies for cross-site calls).
The LTI launch should succeed.
The LTI launch fails, here's a breakdown of the requests.
|1.||BROWSER||CANVAS||Request assignment in Canvas, which is an External Tool (LTI).|
|2.||CANVAS||BROWSER||Reply with an empty IFrame and set the
|4.||TOOL||BROWSER||Reply with a redirect to CANVAS passing the LTI 1.3. auth parameters. This request does not have
|5.||BROWSER||CANVAS||Redirect to authenticate at Canvas is sent, it fails because we are not passing the
|6.||CANVAS||BROWSER||Reply with a redirect to TOOL, with an error.|
|7.||BROWSER||TOOL||This should be the final tool launch, but it is the error from the authentication.|
|8.||TOOL||BROWSER||Since it was an error, TOOL reply the "Invalid Tool Launch" message.|
Excerpt of the error redirect from
utf8: ✓ authenticity_token: <a base 64 encodied string that was omited by me> error: login_required error_description: Must have an active user session state: state-891953f5-97dd-4891-837f-5d01958aeb29
If you are running your own instance of Canvas have you setup Redis? As I believe it is required for the OAuth2 part of the LTI1.3 launch.
Thank you for your reply. Yes, I am running a local instance of Canvas. And Yes, I have set up Redis.
More specifically, I can exercise the OAuth workflow with a different browser that can ignore the cross-site cookie restrictions, eg. Firefox. It would probably also work with an older version of Chrome, but I haven't tested it.