search

oat-sa / lib-lti1p3-core

PHP library for LTI 1.3 Core implementations as platforms and / or as tools.
GNU General Public License v2.0
33 stars 17 forks source link

`OidcAuthenticator` response is send to `target_link_uri` instead of `redirect_uri` #160

Open martinclaus opened 1 year ago

martinclaus commented 1 year ago

According to the LTI 1.3 specs, the out-of-band registration process includes registration of redirect uri provided by the tool. The authentication response shall be send only to one of those uri. The specific uri is provided by the tool via the redirect_uri parameter in the authentication request.

However, OidcAuthenticator is sending the authentication response to the target_link_uri, which is the uri to which the tool is supposed to redirect the user after validating the authentication response.

https://github.com/oat-sa/lib-lti1p3-core/blob/d5256041ac6ef86a30bb172ee637e7b4786e1647/src/Security/Oidc/OidcAuthenticator.php#L120

isl-dbouman commented 1 year ago

Ran in to this same issue, this is what fixed it for me:

Replace $originalToken->getClaims()->getMandatory(LtiMessagePayloadInterface::CLAIM_LTI_TARGET_LINK_URI), With $registration->getTool()->getLaunchUrl(),

mk-kialo commented 1 year ago

We also have the same issue. @isl-dbouman do you maybe want to create a PR for this?