cancel
Showing results for 
Search instead for 
Did you mean: 
jvdm
Community Member

Cannot launch LTI 1.3. assignments in IFrame: Canvas auth cookies are blocked

I am using Google Chrome > 91. When I set up Canvas as an LTI 1.3 platform and try to launch LTI tools inside an IFrame, the LTI launch fails with error: login_required and error_description: Must have an active user session. The error is a response toauthorize_redirect/calls, part of the LTI 1.3. OIDC authentication flow. I am using Assignments with External Tools.

It is noticeable that log_session_id, the cookie used by Canvas for session management, is blocked during the LTI 1.3. OIDC authentication flow on the request to the authorization endpoint /api/lti/authorize_redirect. This behavior happens since Chrome > 91 started enforcing the new SameSite policies. That policy is blocking cross-site cookies without SameSite=None and Secure set, and redirects within IFrames are considered cross-site.

Is this known to anyone else? And, if yes, is there any workaround in Canvas? For example, setting session cookies to use SameSite=None?

Steps to reproduce:

  1. Have Google Chrome > 91 (or any other browser enforcing SameSite=None cookies for cross-site calls).
  2. Setup a development stack of Canvas 2021-05-26.01
  3. Configure LTI 1.3.
  4. Configure an LTI tool (I am using a tool that is based on pylti1p3).
  5. Setup an external tool assignment.
  6. Uncheck the "launch in a separate tab" checkbox.
  7. Launch the assignment.
  8. Observe the LTI launch failing. This can be done through the development console.

Expected behavior:

The LTI launch should succeed.

Actual behavior:

The LTI launch fails, here's a breakdown of the requests.

# From To Description
1. BROWSER CANVAS Request assignment in Canvas, which is an External Tool (LTI).
2. CANVAS BROWSER Reply with an empty IFrame and set the log_session_id cookie without SameSite=None. This means cross-site calls to CANVAS will not set the cookie.
3. BROWSER TOOL Request login/ from within the iframe. This is cross-site. It starts the OIDC flow. The frontend code will populate the iframe with the content of this request.
4. TOOL BROWSER Reply with a redirect to CANVAS passing the LTI 1.3. auth parameters. This request does not have log_session_id set. It is blocked in Chrome (but Firefox allows it).
5. BROWSER CANVAS Redirect to authenticate at Canvas is sent, it fails because we are not passing the log_session_id token.
6. CANVAS BROWSER Reply with a redirect to TOOL, with an error.
7. BROWSER TOOL This should be the final tool launch, but it is the error from the authentication.
8. TOOL BROWSER Since it was an error, TOOL reply the "Invalid Tool Launch" message.

 

Excerpt of the error redirect from /api/lti/authorize:

utf8: ✓
authenticity_token: <a base 64 encodied string that was omited by me>
error: login_required
error_description: Must have an active user session
state: state-891953f5-97dd-4891-837f-5d01958aeb29
0 Kudos
2 Replies
matthew_buckett
Community Participant

If you are running your own instance of Canvas have you setup Redis? As I believe it is required for the OAuth2 part of the LTI1.3 launch.

Thank you for your reply. Yes, I am running a local instance of Canvas. And Yes, I have set up Redis.

More specifically, I can exercise the OAuth workflow with a different browser that can ignore the cross-site cookie restrictions, eg. Firefox. It would probably also work with an older version of Chrome, but I haven't tested it.