Hi I've just been exploring this project as a possible starting point for a modern LTI tool and noticed it doesn't seem to be validating the 'state' value that is set in a cookie during the first step of LTI launch. I was expecting the cookie to be retrieved in the lambda on the /launch endpoint but I couldn't find where this was happening which leads me to think this isn't LTI 1.3 compliant?
I noticed this because when launching in Safari it should block third party cookies which would then break the LTI launch flow but it did not in the way I expected. It did break in Safari on the next part (OAuth flow to the IDP) for this exact reason but not for the LTI launch.
LTI has a spec to address the Safari issue with third party cookies but I don't see how this can be fixed in an iFrame for the OAuth flow to the IDP?
Hi I've just been exploring this project as a possible starting point for a modern LTI tool and noticed it doesn't seem to be validating the 'state' value that is set in a cookie during the first step of LTI launch. I was expecting the cookie to be retrieved in the lambda on the /launch endpoint but I couldn't find where this was happening which leads me to think this isn't LTI 1.3 compliant?
I noticed this because when launching in Safari it should block third party cookies which would then break the LTI launch flow but it did not in the way I expected. It did break in Safari on the next part (OAuth flow to the IDP) for this exact reason but not for the LTI launch.
LTI has a spec to address the Safari issue with third party cookies but I don't see how this can be fixed in an iFrame for the OAuth flow to the IDP?