Cannot launch LTI 1.3. assignments in IFrame: Canvas auth cookies are blocked
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using Google Chrome > 91. When I set up Canvas as an LTI 1.3 platform and try to launch LTI tools inside an IFrame, the LTI launch fails with error: login_required and error_description: Must have an active user session. The error is a response toauthorize_redirect/calls, part of the LTI 1.3. OIDC authentication flow. I am using Assignments with External Tools.
It is noticeable that log_session_id, the cookie used by Canvas for session management, is blocked during the LTI 1.3. OIDC authentication flow on the request to the authorization endpoint /api/lti/authorize_redirect. This behavior happens since Chrome > 91 started enforcing the new SameSite policies. That policy is blocking cross-site cookies without SameSite=None and Secure set, and redirects within IFrames are considered cross-site.
Is this known to anyone else? And, if yes, is there any workaround in Canvas? For example, setting session cookies to use SameSite=None?
Steps to reproduce:
- Have Google Chrome > 91 (or any other browser enforcing
SameSite=Nonecookies for cross-site calls). - Setup a development stack of Canvas 2021-05-26.01
- Configure LTI 1.3.
- Configure an LTI tool (I am using a tool that is based on
pylti1p3). - Setup an external tool assignment.
- Uncheck the "launch in a separate tab" checkbox.
- Launch the assignment.
- Observe the LTI launch failing. This can be done through the development console.
Expected behavior:
The LTI launch should succeed.
Actual behavior:
The LTI launch fails, here's a breakdown of the requests.
| # | From | To | Description |
|---|---|---|---|
| 1. | BROWSER | CANVAS | Request assignment in Canvas, which is an External Tool (LTI). |
| 2. | CANVAS | BROWSER | Reply with an empty IFrame and set the log_session_id cookie without SameSite=None. This means cross-site calls to CANVAS will not set the cookie. |
| 3. | BROWSER | TOOL | Request login/ from within the iframe. This is cross-site. It starts the OIDC flow. The frontend code will populate the iframe with the content of this request. |
| 4. | TOOL | BROWSER | Reply with a redirect to CANVAS passing the LTI 1.3. auth parameters. This request does not have log_session_id set. It is blocked in Chrome (but Firefox allows it). |
| 5. | BROWSER | CANVAS | Redirect to authenticate at Canvas is sent, it fails because we are not passing the log_session_id token. |
| 6. | CANVAS | BROWSER | Reply with a redirect to TOOL, with an error. |
| 7. | BROWSER | TOOL | This should be the final tool launch, but it is the error from the authentication. |
| 8. | TOOL | BROWSER | Since it was an error, TOOL reply the "Invalid Tool Launch" message. |
Excerpt of the error redirect from /api/lti/authorize:
utf8: ✓
authenticity_token: <a base 64 encodied string that was omited by me>
error: login_required
error_description: Must have an active user session
state: state-891953f5-97dd-4891-837f-5d01958aeb29
