From da41969ca2ec198336a77ed82f34259f994f8848 Mon Sep 17 00:00:00 2001
From: Glenn Rice <grice1@missouriwestern.edu>
Date: Mon, 26 Feb 2024 17:07:48 -0600
Subject: [PATCH] Separate the LTI 1.3 access token audience and URL.

This adds a new LTI 1.3 authentication parameter named
`$LTI{v1p3}{AccessTokenAUD}`.  This is used for the audience (`aud`) in
the signed JWT that is sent when requesting an access token from the
LMS.  This access token is used for grade passback.

Previously the `$LTI{v1p3}{AccessTokenURL}` was used for both the
audience and the actual URL that the access token request containing the
signed JWT is sent to.  I suspect that the audience and the URL may not
be the same for all LMS's.  They are the same for Moodle.  These also
needed to be the same for testing on my local Canvas instance.  However,
@Alex-Jordan showed me some information from D2L that indicates these
are different there.  I suspect these may need to be different for
Canvas in production as well.
---
 conf/authen_LTI_1_3.conf.dist                  | 1 +
 lib/WeBWorK/Authen/LTIAdvantage/SubmitGrade.pm | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/conf/authen_LTI_1_3.conf.dist b/conf/authen_LTI_1_3.conf.dist
index 7d5a668b9c..584d601a3a 100644
--- a/conf/authen_LTI_1_3.conf.dist
+++ b/conf/authen_LTI_1_3.conf.dist
@@ -100,6 +100,7 @@ $LTI{v1p3}{ClientID}        = '';
 $LTI{v1p3}{DeploymentID}    = '';
 $LTI{v1p3}{PublicKeysetURL} = '';
 $LTI{v1p3}{AccessTokenURL}  = '';
+$LTI{v1p3}{AccessTokenAUD}  = '';
 $LTI{v1p3}{AuthReqURL}      = '';
 
 # In the process of LTI 1.3 authentication a request is sent to the LMS in response to its
diff --git a/lib/WeBWorK/Authen/LTIAdvantage/SubmitGrade.pm b/lib/WeBWorK/Authen/LTIAdvantage/SubmitGrade.pm
index b5f89e5a90..f62e9b3629 100644
--- a/lib/WeBWorK/Authen/LTIAdvantage/SubmitGrade.pm
+++ b/lib/WeBWorK/Authen/LTIAdvantage/SubmitGrade.pm
@@ -137,7 +137,7 @@ async sub get_access_token ($self) {
 	my $jwt = eval {
 		encode_jwt(
 			payload => {
-				aud => $ce->{LTI}{v1p3}{AccessTokenURL},
+				aud => $ce->{LTI}{v1p3}{AccessTokenAUD},
 				iss => $c->url_for('root')->to_abs->to_string,
 				sub => $ce->{LTI}{v1p3}{ClientID},
 				jti => $private_key->{kid}