Sharebar?

LTI Reference Implementation: Deep Linking Nonce Incorrect?

LTI Reference Implementation: Deep Linking Nonce Incorrect?

In Figure 7 of the LTI Security spec, it shows that the Tool should create the State and Nonce. Furthermore, the nonce section states:

REQUIRED. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token.

When I perform a basic launch from the reference platform to my tool, everything works as expected. The Nonce I set from my tool is properly passed on in the id_token.

When I try and perform a Deep Link Launch request to my tool, that does not appear to happen. Some different nonce is appearing in the id_token, like the platform is generating a new nonce instead of passing on what the tool provided.

Example:
Basic Launch

  • Nonce generated by my tool: 977ee0363ce67323b9aff5222b36689071107707807e2809715a9162638d61d2
  • Nonce shown in JWT attributes of upcoming request: 977ee0363ce67323b9aff5222b36689071107707807e2809715a9162638d61d2

So all looks good.

Deep Linking Launch

  • Nonce generated by my tool: 2c16f6dcaa79b82f5b46532b36f460ec962dd2a0525c74562d46840141c0bc85
  • Nonce shown in JWT attributes of upcoming request: 19041fabd896ac95897a

As you can see, these do not match. Shouldn't the nonce be passed through unaltered, just like in the basic launch? Or am I missing something?

Thanks!