peaches1066
commented
3 years ago Sorry forgot to add this is when the link is running in the iFrame and not set to open in an external window.
Closed peaches1066 closed 3 years ago
peaches1066
commented
3 years ago Sorry forgot to add this is when the link is running in the iFrame and not set to open in an external window.
Cvmcosta
commented
3 years ago Hello!
Can you tell me what cookie options you are using? And is your domain working with https or http? Safari can be very restrictive, usually the only way it works is if the cookies are set with secure: true and sameSite: 'None' and your site working via https.
lti.setup('LTIKEY', // Key used to sign cookies and tokens
{
// Database configuration
},
{ // Options
appRoute: '/', loginRoute: '/login', // Optionally, specify some of the reserved routes
cookies: {
secure: true,
sameSite: 'None'
},
devMode: false // Set DevMode to true if your environment is not running with https
}
)The version of Ltijs installed on the demo server is a bit outdated, but if you choose to update it to the newest version (5.5) you can have access to a couple of useful features like ltiaas mode that disables cookie validation for requests and only requires the ltik to be passed.
And you can use regular Bearer Tokens for now to pass the ltik, the LTIK-AUTH-V1 is only required to be used if you want to pass additional authentication tokens to the server. See Request Authentication to see all of the available authentication methods (Ways you can pass the ltik).
Sorry it took me this long to answer.
peaches1066
commented
3 years ago Hi Thanks for responding
So I have changed my code to match the ltiaas. the cookie settings I was using are commented out. I have updated to version 5.5.0. Both the brightspace and the lti demo code are https.
unfortunately the iPad with the link in the iFrame is not working. As this is not an issue as such with your code please do not spend a lot of time on this issue and thank you for the work you are doing on this project.
lti.setup(process.env.LTI_KEY, { url: 'mongodb://' + process.env.DB_HOST + '/' + process.env.DB_NAME + '?authSource=admin', connection: { user: process.env.DB_USER, pass: process.env.DB_PASS } }, { staticPath: path.join(__dirname, './public'), // Path to static files }, //cookies: { // secure: true, // Set secure to true if the testing platform is in a different domain and https is being used // sameSite: 'None', // Set sameSite to 'None' if the testing platform is in a different domain and https is being used // },
// devMode: false // Set DevMode to true if the testing platform is in a different domain and https is not being used { ltiaas: true // Using ltiaas mode })
Cvmcosta
commented
3 years ago Hello again. Can you start ltijs with devMode: true just so we can be sure that the issue is related to the cors policy? If devMode: true works, then the issue is really the Safari cors policy and there is not much i can do.
You can work with devMode enabled if it works, the only difference is that it does not validate the login state cookie, which is part of the LTI specification, but apart from that everything works the same.
peaches1066
commented
3 years ago Hi so I changed the code to
lti.setup(process.env.LTI_KEY, { url: 'mongodb://' + process.env.DB_HOST + '/' + process.env.DB_NAME + '?authSource=admin', connection: { user: process.env.DB_USER, pass: process.env.DB_PASS } }, { staticPath: path.join(__dirname, './public'), // Path to static files },{ //cookies: { // secure: true, // Set secure to true if the testing platform is in a different domain and https is being used // sameSite: 'None', // Set sameSite to 'None' if the testing platform is in a different domain and https is being used // },
devMode: true // Set DevMode to true if the testing platform is in a different domain and https is not being used },{ ltiaas: true // Using ltiaas mode })
However it has made no difference, turning off the cross site tracking it all works but with it on, it unfortunately fails. Anyway thanks for your time and advice.
Cvmcosta
commented
3 years ago I am sorry, it appears that the cors policies are even more restrictive than i though. I'll close this issue for now, i'm thinking of implementing support for a possible workaround in the future since i've seen some developers using popups to set the cookies without going through cors.
Describe the bug I am connecting to LTIJS on my home server domain *.info via d2l Brightspace on a .com This is working fine on windows PC with chrome /firefox.
However when connecting via the same link on iPad the current session cookie causes the Safari cross site tracking to block the site loading. If I turn this off in the Ipad then it loads as expected.
Expected behavior Ideally on Ipad with the default cross site tracking enabled the link should still load. Is there a way to make it work without having a session cookie?
Sorry I am not really a dev just trying the code out.
Also as a request do you have any code showing the use of the AUTH -V1 as I think I need that to get the grades and Names and roles service working with Brightspace.
Thanks for your help.
Provider logs Copy of the relevant provider logs. Not applicable as the code works without issue.
Screenshots If applicable, add screenshots to help explain your problem.
Ltijs version
NodeJS version
Platform used D2L Brightspace
Additional context Recent IOS change to turn on cross site tracking