Developing LTI 1.3 integration - iframes, 3rd party cookie blocking

Community Member

I'm developing a canvas integration that uses LTI 1.3 to embed an iframe on a page in canvas, and am running into an issue. When I check Safari's "Prevent cross-site tracking" checkbox, I am able to embed my LTI tool on a canvas page in our test canvas instance (https://<domain>

However, when I run the same code in https://<domain> I get this response:

    [utf8] => ✓
    [authenticity_token] => STRING==
    [error] => login_required
    [error_description] => Must have an active user session
    [state] => state-STRING

I'm not too sure at this point where the problem is - I haven't followed the requests closely enough to see what cookies aren't being set (I presume) that would be required for canvas to identify the user within the iframe, but I'm also confused why dev/test instances are different enough that one will work, and one won't.

My application does not need to set a cookie for this to work - I'm encrypting state and sending it as a querystring parameter as part of my target_link_uri.