search

Cvmcosta / ltijs

Turn your application into a fully integratable LTI 1.3 tool provider.
https://cvmcosta.github.io/ltijs/
Apache License 2.0
299 stars 67 forks source link

MISSING_VALIDATION_COOKIE - Canvas - ONLY in Safari #180

Closed mazorAnn closed 1 year ago

mazorAnn commented 1 year ago

Describe the bug I developed an external tool - using:

VueJS version 2 Firebase

I used ltijs for LTI 1.3 implementation over:

Firebase Cloud functions

everything works great on Chrome and Firefox, only Safari does not work this is the error when I'm trying to LAUNCH an assignment:

{"status":401,"error":"Unauthorized","details":{"description":"Error validating ltik or IdToken","message":"MISSING_VALIDATION_COOKIE"}}

Expected behavior

the launch in safari is supposed to work the same as chrome/Firefox

Provider logs

Function execution started
provider:main Receiving request at path: /
provider:main Path does not match reserved endpoints
provider:main Cookies received:
provider:main [Object: null prototype] {}
provider:main Received idtoken for validation
provider:auth Response state: cf5fc7885e95a0e3d5434efb2fce8ce836e865822335165680
provider:auth Attempting to validate iss claim
provider:auth Request Iss claim: undefined
provider:auth Response Iss claim: https://canvas.instructure.com
provider:main Deleting state cookie and Database entry
provider:auth Error: MISSING_VALIDATION_COOKIE
at Function.validateToken (/workspace/node_modules/ltijs/dist/Utils/Auth.js:98:27)
at sessionValidator (/workspace/node_modules/ltijs/dist/Provider/Provider.js:400:38)
at Layer.handle [as handle_request] (/workspace/node_modules/express/lib/router/layer.js:95:5)
at trim_prefix (/workspace/node_modules/express/lib/router/index.js:317:13)
at /workspace/node_modules/express/lib/router/index.js:284:7
at Function.process_params (/workspace/node_modules/express/lib/router/index.js:335:12)
at next (/workspace/node_modules/express/lib/router/index.js:275:10)
at /workspace/node_modules/ltijs/dist/Utils/Server.js:115:14
at Layer.handle [as handle_request] (/workspace/node_modules/express/lib/router/layer.js:95:5)
at trim_prefix (/workspace/node_modules/express/lib/router/index.js:317:13)
provider:main Passing request to invalid token handler
Function execution took 115 ms, finished with status code: 401

Screenshots

Left - Safari | Right - Crhome

https://user-images.githubusercontent.com/89394418/224063578-b8b37f43-8fe5-44ce-96db-48a43b3bf12c.mov

Ltijs version

NodeJS version

Platform used

Additional context this is my Setup Code in the lti-index.js file of the firebase Cloud functions: 

lti.setup("LTIKEY",
  {plugin: new Firestore({collectionPrefix: "ltijs-"})},
  {
    ltiaas: true,
    cookies: {
      secure: true,
      sameSite: "None",
    },
  }
);
const setup = async ()=> {
  await lti.deploy({serverless: true});
  await lti.registerPlatform(conf.LTI_PlatformConf)
  .catch((e) => logger.error("error while registering Platform", e));
};
setup();

this is my conf file:

LTI_PlatformConf: {
  url: "https://canvas.instructure.com",
  name: "Canvas",
  clientId: "##############", //I just hide the clientId 
  authenticationEndpoint: "https://atomiclearning.instructure.com/api/lti/authorize_redirect",
  accesstokenEndpoint: "https://atomiclearning.instructure.com/login/oauth2/token",
  authConfig: {
    method: "JWK_SET",
    key: "https://atomiclearning.instructure.com/api/lti/security/jwks"
  },
},

Sorry for labeling it as a bug by mistake

mazorAnn commented 1 year ago

UPDATE:

same problem on iPhone - both Chrome & Safari

Soumyaranjanpal commented 1 year ago

I face the same issue with Firefox

Cvmcosta commented 1 year ago

Hello @mazorAnn and @Soumyaranjanpal this issue is caused by the third party cookie policies blocking part of the LTI launch flow, the state validation. There are two ways of working around this at the moment:

  1. Simply enabling third party cookies on these browsers.
  2. Using LTIJS in devMode, by setting devMode: true in the setup options. All this does is disable state cookie validation. That being said, this technically means your app is not fully LTI compliant.

This is a known issue with the current LTI protocol and alternatives to using a state cookie are being discussed as more and more browsers are blocking third party cookies by default.

I am closing this as it is not a bug, but please fell free to ask more questions about it here.