LTI 1.3 Mismatching LTI Tools with NRPS services and oauth_consumer_key_sign

We have reported these two issues on the opensource repo tracker, but have gotten zero information or responses on them.

Today, canvas will fail to handle the NRPS service in a migrated 1.1 assignment as it tries to use the wrong tool consumer and throws an error.

The same thing happens with oauth_consumer_key_sign. Becuase of their "domain matching" logic, they can find the wrong tool since they just order a list of all tools with matching domains.

Anyone know how to get canvas to look at this or notice? Its technically a security issue as it thinks a tool is actually a different tool.

https://github.com/instructure/canvas-lms/issues/2289
https://github.com/instructure/canvas-lms/issues/2287

0 Replies

LTI 1.3 Mismatching LTI Tools with NRPS services and oauth_consumer_key_sign

take assignment grades through the API

"tool-proxy-shared-secret" for LTI2 and Webhooks

Request for DAP Client Source Repository

Ungraded feedback questions on lesson page

Developer Key API asks for Authorization each time

take assignment grades through the API

Please Help — Proxy.js throwing errors, preventing...

Debugging JavaScript in Canvas using DevTools

"tool-proxy-shared-secret" for LTI2 and Webhooks

"view ungraded as zero" as default for teachers an...

You're signed out

LTI 1.3 Mismatching LTI Tools with NRPS services and oauth_consumer_key_sign

Community Help

View our top guides and resources: