Cannot launch LTI 1.3. assignments in IFrame: Canvas auth cookies are blocked
I am using Google Chrome > 91. When I set up Canvas as an LTI 1.3 platform and try to launch LTI tools inside an IFrame, the LTI launch fails with
error: login_required and
error_description: Must have an active user session. The error is a response to
authorize_redirect/calls, part of the LTI 1.3. OIDC authentication flow. I am using Assignments with External Tools.
It is noticeable that
log_session_id, the cookie used by Canvas for session management, is blocked during the LTI 1.3. OIDC authentication flow on the request to the authorization endpoint
/api/lti/authorize_redirect. This behavior happens since Chrome > 91 started enforcing the new SameSite policies. That policy is blocking cross-site cookies without
Secure set, and redirects within IFrames are considered cross-site.
Is this known to anyone else? And, if yes, is there any workaround in Canvas? For example, setting session cookies to use
Steps to reproduce:
- Have Google Chrome > 91 (or any other browser enforcing
SameSite=Nonecookies for cross-site calls).
- Setup a development stack of Canvas 2021-05-26.01
- Configure LTI 1.3.
- Configure an LTI tool (I am using a tool that is based on
- Setup an external tool assignment.
- Uncheck the "launch in a separate tab" checkbox.
- Launch the assignment.
- Observe the LTI launch failing. This can be done through the development console.
The LTI launch should succeed.
The LTI launch fails, here's a breakdown of the requests.
|1.||BROWSER||CANVAS||Request assignment in Canvas, which is an External Tool (LTI).|
|2.||CANVAS||BROWSER||Reply with an empty IFrame and set the
|4.||TOOL||BROWSER||Reply with a redirect to CANVAS passing the LTI 1.3. auth parameters. This request does not have
|5.||BROWSER||CANVAS||Redirect to authenticate at Canvas is sent, it fails because we are not passing the
|6.||CANVAS||BROWSER||Reply with a redirect to TOOL, with an error.|
|7.||BROWSER||TOOL||This should be the final tool launch, but it is the error from the authentication.|
|8.||TOOL||BROWSER||Since it was an error, TOOL reply the "Invalid Tool Launch" message.|
Excerpt of the error redirect from
utf8: ✓ authenticity_token: <a base 64 encodied string that was omited by me> error: login_required error_description: Must have an active user session state: state-891953f5-97dd-4891-837f-5d01958aeb29