canvas-lms icon indicating copy to clipboard operation
canvas-lms copied to clipboard

Published 20 hours ago verified publisher icon instructure

Not changing the lti_iss parameter in config/security.yml may violate the LTI 1.3 spec

Open Dantemss opened this issue 4 years ago • 0 comments

Summary:

Currently, nowhere in this repository is it mentioned that users doing custom deployments of Canvas should change the lti_iss parameter in config/security.yml. As far as I understand, this is problematic because the LTI 1.3 spec on the tool side is supposed to use the issuer to find the platform registration. Specifically:

The IMS Security Framework spec (https://www.imsglobal.org/spec/security/v1p0/) mentions: The Tool must be given the Public Key and Issuer Identifier (issuer_id) for the Platform (using some out-of-band registration process). See 6. Key Management for more details on Key Management;, implying some mapping between the issuer and the public key, which is not possible if all Canvas deployments share the same issuer.

The same spec also says that Issuer Identifier is a Verifiable identifier for an Issuer. An Issuer Identifier is a case-sensitive URL, using the HTTPS scheme, that contains scheme, host, and optionally, port number, and path components, and no query or fragment components.. A fixed URL owned by Instructure is not really verifiable for other users doing the deployment independently.

This lead to Tsugi having to investigate special casing Canvas somehow to make the mapping work: https://github.com/tsugiproject/tsugi/issues/83 It's unclear to me what the resolution was in Tsugi's case. I think they may be using special URL's for Canvas with embedded identifiers.

Steps to reproduce:

  1. Create a new custom deployment of Canvas or use Docker
  2. Configure and launch an LTI 1.3 tool
  3. Notice that the LTI Issuer is still https://canvas.instructure.com in the request

Expected behavior:

I ask only for documentation. It's probably too late to fix existing deployments (attempting to change the issuer would likely break all LTI integrations), so everyone will likely be forced to continue supporting Canvas deployments with the same issuer, but there could at least be comments warning in the README, in config/security.yml.example and in the Docker script-generated config/security.yml to change the issuer when doing a brand new deployment. Documentation of what fields Canvas expects tools to use to distinguish between different Canvas deployments would also be nice.

Actual behavior:

Almost all Canvas deployments have the same LTI issuer.

Additional notes:

None

Dantemss avatar Sep 14 '21 16:09 Dantemss