LTI 1.3 Mismatching LTI Tools with NRPS services and oauth_consumer_key_sign

Found this content helpful? Log in or sign up to leave a like!

We have reported these two issues on the opensource repo tracker, but have gotten zero information or responses on them.

Today, canvas will fail to handle the NRPS service in a migrated 1.1 assignment as it tries to use the wrong tool consumer and throws an error.

The same thing happens with oauth_consumer_key_sign. Becuase of their "domain matching" logic, they can find the wrong tool since they just order a list of all tools with matching domains.

Anyone know how to get canvas to look at this or notice? Its technically a security issue as it thinks a tool is actually a different tool.

https://github.com/instructure/canvas-lms/issues/2289
https://github.com/instructure/canvas-lms/issues/2287

0 Replies

Need help? Sign up or log in to interact with Panda Bot

LTI 1.3 Mismatching LTI Tools with NRPS services and oauth_consumer_key_sign

Donot have valid data to test certain APIs

Getting Canvas LTI Data

Is it posible to get the self_enrollment_code trou...

Display LTI content in pages from Editor LTI Place...

Media Plugin for Canvas LMS

UI for weekly progression idea

Is the ‘Enable self assessment’ field available in...

Canvas Rubrics API Criteria

api/v1/courses/sis_course_id:{id#}/sections - Not ...

add `desc` or `asc` to a few api calls that are al...

You're signed out

LTI 1.3 Mismatching LTI Tools with NRPS services and oauth_consumer_key_sign

Community help

View our top guides and resources: