Separate the LTI 1.3 access token audience and URL.

This adds a new LTI 1.3 authentication parameter named `$LTI{v1p3}{AccessTokenAUD}`. This is used for the audience (`aud`) in the signed JWT that is sent when requesting an access token from the LMS. This access token is used for grade passback. Previously the `$LTI{v1p3}{AccessTokenURL}` was used for both the audience and the actual URL that the access token request containing the signed JWT is sent to. I suspect that the audience and the URL may not be the same for all LMS's. They are the same for Moodle. These also needed to be the same for testing on my local Canvas instance. However, @Alex-Jordan showed me some information from D2L that indicates these are different there. I suspect these may need to be different for Canvas in production as well.
openwebwork · Feb 29, 2024 · da41969 · da41969
1 parent b3ec23e
commit da41969
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/conf/authen_LTI_1_3.conf.dist b/conf/authen_LTI_1_3.conf.dist
@@ -100,6 +100,7 @@ $LTI{v1p3}{ClientID}        = '';
 $LTI{v1p3}{DeploymentID}    = '';
 $LTI{v1p3}{PublicKeysetURL} = '';
 $LTI{v1p3}{AccessTokenURL}  = '';
+$LTI{v1p3}{AccessTokenAUD}  = '';
 $LTI{v1p3}{AuthReqURL}      = '';
 
 # In the process of LTI 1.3 authentication a request is sent to the LMS in response to its

diff --git a/lib/WeBWorK/Authen/LTIAdvantage/SubmitGrade.pm b/lib/WeBWorK/Authen/LTIAdvantage/SubmitGrade.pm
@@ -137,7 +137,7 @@ async sub get_access_token ($self) {
 	my $jwt = eval {
 		encode_jwt(
 			payload => {
-				aud => $ce->{LTI}{v1p3}{AccessTokenURL},
+				aud => $ce->{LTI}{v1p3}{AccessTokenAUD},
 				iss => $c->url_for('root')->to_abs->to_string,
 				sub => $ce->{LTI}{v1p3}{ClientID},
 				jti => $private_key->{kid}