LTI access tokens aud invalid if port not 80/443

[andrew-gardener]

Summary:

only the host is being used to build the aud (no port).

Steps to reproduce:

1. Setup Canvas locally for development using a port other than 80/443 (ex: 8080)
2. Setup a LTI 1.3 deployment
3. Attempt to use an LTI service requiring an access token (ex: Names and Role Provisioning Services)

Expected behavior:

LTI service functions

Actual behavior:

400 with return value {"error":"invalid_request","error_description":"the 'aud' is invalid"}

Additional notes:

suggest changing this: https://github.com/instructure/canvas-lms/blob/45d23e3ab6848b40d1cc75dc1a23a359ded18290/app/controllers/oauth2_provider_controller.rb#L109 to use request.host_with_port instead of request.host

[drscottlobo]

I'm getting the following in Step 3 of my LTI 1.3 launch, Canvas sends to my auth route after Steps 1 and 2, but I get the following sent instead of the JWT. FYI: in step 2 I'm sending to my redirect my locally running instance of Canvas at http://localhost:3000/api/lti/authorize_redirect

{ utf8: '✓', authenticity_token: '4H41jdqtLGf2emGxLacfvB0vNvY4Mh61PxtHBJx57NCUT3jstvxCNY8wJtJ71VDlTGVslGhZKMZ2czRAqheG4A==', error: 'launch_no_longer_valid', error_description: 'The launch has either expired or already been consumed', state: '255e6d04-0aa7-40ff-830f-6781074beebc' }

Did this error happen to come up while you were setting up LTI 1.3?