We’re removing OAuth for posting back activity sessions.
This means that anyone can write back to the activity session, but you need to know the activity session ID.
Students can still not start activities without the proper credentials.
Things are complicated because of the iframe. We should drop the iframe over the summer and move to a domain redirect model.
The cookie and API authorization are getting out of sync due to sharing computers. We could move to token authorization across the site - one token based authentication system.
If you sign into the site and sign into the iframe, you are getting different results.
We basically become a true single sign on provider with the
We move all authentication use a single dyne, separate from the rest of the site.