-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot launch LTI 1.3. assignments in IFrame: Canvas fails to authenticate because cross-site cookie is blocked #1900
Comments
I am experiencing the same thing. Could you find any remediation or fixes for this? Thank you :) |
I have this problem too. |
This is a fairly old issue but I'm seeing the same thing. Just went through making sure SameSite=None and Secure flags are set for the tool I'm working on but this seems to be something that needs to be fixed Canvas side. I'm quite surprised, if this is an issue, why isn't it an issue for all LTI 1.3 deep linking tools? |
Hello. Sorry for my bad english. That's indeed a problem on Canvas side. Bad documentation. Also Canvas has very bad realization for LTI 1.3. But Canvas LMS, set
I think they're using Instructure's Canvas instance. This instance doesn't have this problem, because |
LTI 1.3 deep linking don't seem to be working properly in latest Chrome. This is because SameSite cookie property is not set properly. See instructure#1900
LTI 1.3 deep linking don't seem to be working in latest Chrome. Seemingly this is due to because SameSite property of session and CSRF token cookies are not set to None to allow cross-site. Even though the deep link selection iframe ends up at same domain (Canvas) it's navigated to through the tool domain which effectively makes it cross-site. Closes instructuregh-1900 Test plan: - Test LTI 1.3 deep linking with an external tool - Test compatibility with different browsers (new browsers supporting SameSite: None and browsers not supporting) - Investigate any undesired security implications this change might have
Adding the session_store.yml config does add the Secure flag which also is needed but as far as I can tell it does not help with adding the SameSite flag. I managed to get it working on my self-hosted instance of Canvas by doing the changes in my pull request above. I had to change in a few different places to make it apply SameSite both to the session cookie and to the CSRF Token cookie. I'm running a self-hosted instance to test my tool and it has indeed been a bit of a hassle to setup. Not sure if things behaves differently in any Instructure hosted solutions. |
Summary:
In Google Chrome > 91, when using Canvas as an LTI 1.3 platform to launch External Tool assignments connected to an LTI 1.3. tool inside an IFrame, the launch fails with
error: login_required
anderror_description: Must have an active user session
.It is noticeable that
log_session_id
, the cookie used by Canvas for session management, is blocked during the LTI 1.3. OIDC authentication flow on the request to the authorization endpoint/api/lti/authorize_redirect
. This behavior happens since Chrome > 91 started enforcing the new SameSite policies. That policy is blocking cross-site cookies withoutSameSite=None
andSecure
set, and redirects within IFrames are considered cross-site.Steps to reproduce:
SameSite=None
cookies for cross-site calls).pylti1p3
).Expected behavior:
The LTI launch should succeed.
Actual behavior:
The LTI launch fails, here's a breakdown of the requests.
log_session_id
cookie withoutSameSite=None
. This means cross-site calls to CANVAS will not set the cookie.login/
from within the iframe. This is cross-site. It starts the OIDC flow. The frontend code will populate the iframe with the content of this request.log_session_id
set. It is blocked in Chrome (but Firefox allows it).log_session_id
token.Excerpt of the error redirect from
/api/lti/authorize
:Additional notes:
Please, notice there are other resources in Forums and discussions around LTI 1.3. and cross-site cookies handling after the
SameSite=None
enforcing was added to browsers such as Chrome and Safari, but they are related to updating Tools that uses cross-site cookies. This report is about to perform the LTI 1.3 authentication within an IFrame.Examples:
The text was updated successfully, but these errors were encountered: