canvas-lms icon indicating copy to clipboard operation
canvas-lms copied to clipboard

Published 20 hours ago verified publisher icon instructure

Dynamic Registration Uses Invalid Error Response Body

Open jsbass opened this issue 6 months ago • 1 comments

Summary:

Canvas's dynamic registration response does not match the LTI/OIDC specification for an error response to dynamic registration. OIDC Spec LTI Spec

Steps to reproduce:

  1. Use tool dynamic registration endpoint that sends invalid parameters to the registration URL
  2. Receive error response from Canvas
  3. Observe that the response body does not match the expected parameters

Expected behavior:

A 400 HTTP Status Code with a JSON body formed with at least the following parameters:

{
    "error": "invalid_redirect_uri | invalid_client_metadata | *other_code*",
    "error_description": ""
}

Actual behavior:

A 422 HTTP Status Code with a JSON body as below:

{
    "errors": [""]
}

Additional notes:

Non standard error codes and extra parameters are valid but the message should at least have the expected parameters in the error response as well as use the expected HTTP status code.

jsbass avatar Aug 10 '24 18:08 jsbass