When I create an LTI 1.3 resource and launch it is supposed to go thru several distinct phases
- OIDC Login
- Post to a resource URI to the pre-registered redirect endpoint
And this works fine in the browser and the android app.
However in the iOS app (3.9.4) running against the server (moodlecloud LTS 3.9.2 )
the app only issues a single POST directly to the resource URI, which is incorrect. The POST should be to the redirect endpoint, however it is also skipping the OIDC login flow.
Because the flow is skipping the OIDC flow, it is potentially posting sensitive data out to an unknown endpoint so I am labeling this a a 'serious security issue'