[MOBILE-3706] iOS Native app not processing LTI 1.3 launch correctly - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Duplicate
Affects Version/s: 3.9.4
Fix Version/s: None
Component/s: External tool (IMS-LTI)
Labels:
- triaged

Affected Branches:
MOODLE_39_STABLE

Sprint:
Moodle App 3.9.5

Description

When I create an LTI 1.3 resource and launch it is supposed to go thru several distinct phases

OIDC Login
Post to a resource URI to the pre-registered redirect endpoint

And this works fine in the browser and the android app.

However in the iOS app (3.9.4) running against the server (moodlecloud LTS 3.9.2 )

the app only issues a single POST directly to the resource URI, which is incorrect. The POST should be to the redirect endpoint, however it is also skipping the OIDC login flow.

Because the flow is skipping the OIDC flow, it is potentially posting sensitive data out to an unknown endpoint so I am labeling this a a 'serious security issue'

Attachments

Issue Links

will be (partly) resolved by

MOBILE-3724 Fix LTI 1.3 launch in the app

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Peter Franza

Participants:: Dani Palou, Jake Dallimore, Juan Leyva, Peter Franza

Component watchers:

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 18/Feb/21 3:54 AM

Updated:: 29/Apr/21 5:59 PM

Resolved:: 24/Mar/21 12:32 AM