Open jvdm opened 3 years ago
I am experiencing the same thing. Could you find any remediation or fixes for this?
Thank you :)
I have this problem too. When I manually change _legacy_normandy_session to Secure,SameSite=None in my Chrome, it starts working.
This is a fairly old issue but I'm seeing the same thing. Just went through making sure SameSite=None and Secure flags are set for the tool I'm working on but this seems to be something that needs to be fixed Canvas side.
I'm quite surprised, if this is an issue, why isn't it an issue for all LTI 1.3 deep linking tools?
This is a fairly old issue but I'm seeing the same thing. Just went through making sure SameSite=None and Secure flags are set for the tool I'm working on but this seems to be something that needs to be fixed Canvas side.
Hello. Sorry for my bad english.
That's indeed a problem on Canvas side. Bad documentation.
Canvas has session_store.yml
file (https://github.com/instructure/canvas-lms/blob/master/config/session_store.yml.example) that has secure
field (commented) and you need to uncomment, then it will set SameSite and Secure flags.
But you won't find it in their documentation for production installing (https://github.com/instructure/canvas-lms/wiki/Production-Start), so people install self-hosted Canvas, forgetting uncomment secure
field, and half of LTI 1.3 won't work on their instance.
Also Canvas has very bad realization for LTI 1.3.
You can identify LMS instance by two fields issuer
and client_id
. So these two fields together needs to be globally unique. BrightSpace, Moodle and other LMS systems don't have problem with uniqueness, because they're generating client_id
randomly and issuer
defaults to instance domain.
But Canvas LMS, set issuer
to https://canvas.instructure.com
in https://github.com/instructure/canvas-lms/blob/master/config/security.yml.example
and not saying people how to change it in production documentation. Not only this, but their client_id
not generating randomly, starting from 10000000000001
for every self-hosted instance.
I'm quite surprised, if this is an issue, why isn't it an issue for all LTI 1.3 deep linking tools?
I think they're using Instructure's Canvas instance. This instance doesn't have this problem, because secure
field was set.
Adding the session_store.yml config does add the Secure flag which also is needed but as far as I can tell it does not help with adding the SameSite flag. I managed to get it working on my self-hosted instance of Canvas by doing the changes in my pull request above. I had to change in a few different places to make it apply SameSite both to the session cookie and to the CSRF Token cookie.
I'm running a self-hosted instance to test my tool and it has indeed been a bit of a hassle to setup. Not sure if things behaves differently in any Instructure hosted solutions.
Summary:
In Google Chrome > 91, when using Canvas as an LTI 1.3 platform to launch External Tool assignments connected to an LTI 1.3. tool inside an IFrame, the launch fails with
error: login_required
anderror_description: Must have an active user session
.It is noticeable that
log_session_id
, the cookie used by Canvas for session management, is blocked during the LTI 1.3. OIDC authentication flow on the request to the authorization endpoint/api/lti/authorize_redirect
. This behavior happens since Chrome > 91 started enforcing the new SameSite policies. That policy is blocking cross-site cookies withoutSameSite=None
andSecure
set, and redirects within IFrames are considered cross-site.Steps to reproduce:
SameSite=None
cookies for cross-site calls).pylti1p3
).Expected behavior:
The LTI launch should succeed.
Actual behavior:
The LTI launch fails, here's a breakdown of the requests.
log_session_id
cookie withoutSameSite=None
. This means cross-site calls to CANVAS will not set the cookie.login/
from within the iframe. This is cross-site. It starts the OIDC flow. The frontend code will populate the iframe with the content of this request.log_session_id
set. It is blocked in Chrome (but Firefox allows it).log_session_id
token.Excerpt of the error redirect from
/api/lti/authorize
:Additional notes:
Please, notice there are other resources in Forums and discussions around LTI 1.3. and cross-site cookies handling after the
SameSite=None
enforcing was added to browsers such as Chrome and Safari, but they are related to updating Tools that uses cross-site cookies. This report is about to perform the LTI 1.3 authentication within an IFrame.Examples: