Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Member

Canvas Assignment External Tool Security Concern


I am adding LTI integration support in an application i am working on and i was planning to force login user by taking the email address passed in the payload when assignment is loaded so the application can collect some stats and keep track of the assignment progress for the specific user and then submit the grades back to canvas. Auto login part is to make the flow seamless and user friendly. When testing this feature it raised a security concern because the session for the loaded LTI assignment and my standalone application is shared so the auto login feature would mean that the user is logged in on my standalone application as well. I made the test course public and accessed it through another account that i created for canvas and the course and assignment were being assessed and there was no parameter in the payload that would indicate if the user had verified the account or not. So this leads to a potential vulnerability where the user for my application can be impersonated by creating an account on canvas just by using the email and accessing the assignment. Is there a best practice for this or something that canvas provides through which i can implement it in a more secure way or can it be made so that user cannot get access to a course content if he has not verified the email address. 

0 Kudos
1 Reply
Community Coach
Community Coach

Hello there, mmuslimmunir...

I am reviewing some of the older questions here in the Canvas Community, and I came across your question.  While I don't really have an answer for you myself, I wanted to check in with you because I noticed that we have not heard back from you since you first posted your question on September 4, 2019.  It seems as though you've stumped Community members with your question.  Have you been able to find any solutions on your own that you'd be willing to share back here in this topic?  Or, are you still looking for some help with your question?  Either way, we would like to hear back from you.  For the time being, I am going to mark your question as "Assumed Answered" because we've not heard back from you in over five months and because there hasn't been any activity in this topic for that same amount of time.  However, that won't keep you from posing questions and/or comments below that are related to this topic.  I hope that's okay with you, Muslim.  Looking forward to hearing back from you soon.