LTI 1.3 Mismatching LTI Tools with NRPS services and oauth_consumer_key_sign

We have reported these two issues on the opensource repo tracker, but have gotten zero information or responses on them.

Today, canvas will fail to handle the NRPS service in a migrated 1.1 assignment as it tries to use the wrong tool consumer and throws an error.

The same thing happens with oauth_consumer_key_sign. Becuase of their "domain matching" logic, they can find the wrong tool since they just order a list of all tools with matching domains.

Anyone know how to get canvas to look at this or notice? Its technically a security issue as it thinks a tool is actually a different tool.

https://github.com/instructure/canvas-lms/issues/2289
https://github.com/instructure/canvas-lms/issues/2287

0 Replies

LTI 1.3 Mismatching LTI Tools with NRPS services and oauth_consumer_key_sign

LTI 1.3 AGS Deleting a Line Item

Error While Setting a Canvas LMS on Window (WSL)

How to get users LTI v1.3 ID outside of the SSO pa...

Automate admin report 'Grade Export'

ícones de paginas e módulos no Canvas

LTI 1.3 AGS Deleting a Line Item

Error While Setting a Canvas LMS on Window (WSL)

API for Exporting the Individual Assignment URL's ...

How to get users LTI v1.3 ID outside of the SSO pa...

Issue in launching external app in self hosted can...

You're signed out

LTI 1.3 Mismatching LTI Tools with NRPS services and oauth_consumer_key_sign

Community Help

View our top guides and resources: