Check if Deployment ID claim is missing and return an error even if validation if disabled

tl-its-umich-edu / canvas-app-explorer

A Web application that presents a list of Canvas external (LTI) tools with details. When integrated within Canvas, the user can search for specific LTI tool(s), and add or remove those tools from Canvas courses.

Apache License 2.0

4 stars 6 forks source link

Check if Deployment ID claim is missing and return an error even if validation if disabled #272

Closed jonespm closed 1 year ago

jonespm commented 2 years ago

We failed the certification in MyLA because we allowed missing deployment ids. We could probably turn this on and validate it but if it's missing completely this should have an error and fail.

This will likely pull the similar fix over from MyLA https://github.com/tl-its-umich-edu/my-learning-analytics/issues/1396

https://github.com/tl-its-umich-edu/canvas-app-explorer/blob/559dd15ea7a5a5144a9243628dfc888ba5cf219c/backend/canvas_app_explorer/lti1p3.py#L33

ssciolla commented 1 year ago

@jonespm, do you want me to pick this up? Not sure what else is on your plate right now.

jonespm commented 1 year ago

Yeah, go ahead if you have time, I was hoping to get to this tomorrow but focusing on MyLA issues today.

zqian commented 1 year ago

Tested with CAE Dev integration with Canvas Test server:

With Chrome developer tools, copy the payload from /launch call, and pasted it into jwt.io site, find the existence of deployment_id value: "https://purl.imsglobal.org/spec/lti/claim/deployment_id": "id_part_1:id_part_2".

Since the pyltilp3 will always send a deployment id, there is no need to fake the launch call to omit the deployment_id value. This PR has already placed a catch for the null value situation.