Sharebar?

Reference Implementation - Incorrect Nonce

Reference Implementation - Incorrect Nonce

The security spec says that the nonce is supposed to be passed through unmodified from the authentication request to the ID token. When I do an OIDC deep link launch, the nonce in the ID token is different from what my tool sent in the authentication request. Why is this?

I brought this up a year ago

I brought this up a year ago - they responded yesterday and indicated it has not yet been addressed.

We had to temporarily disable nonce validation in our tools when interfacing with the reference implementation to continue testing.

jrissler's picture

Good morning - this should be

Good morning - this should be updated in the deployed instance here shortly (https://lti-ri.imsglobal.org/release_notes), can one of you test this and confirm it's good to go? Thanks

Nonce OK, deployment_id gone?

Hi There,

The nonce does seem to be working, thanks!

That being said, it appears the deployment_id is no longer present in the id_token. In the deep linking spec it shows it as a required field:

This is the id_token that was sent:

{
"https://purl.imsglobal.org/spec/lti/claim/message_type": "LtiDeepLinkingRequest",
"given_name": "Mario",
"family_name": "Ritchie",
"middle_name": "Bruen",
"picture": "http://example.org/Mario.jpg",
"email": "Mario.Ritchie@example.org",
"name": "Mario Bruen Ritchie",
"https://purl.imsglobal.org/spec/lti/claim/roles": [
"http://purl.imsglobal.org/vocab/lis/v2/institution/person#Instructor"
],
"https://purl.imsglobal.org/spec/lti/claim/role_scope_mentor": [
"a62c52c02ba262003f5e"
],
"https://purl.imsglobal.org/spec/lti/claim/context": {
"id": "13272",
"label": "Course1",
"title": "Course 1",
"type": [
"Course "
]
},
"https://purl.imsglobal.org/spec/lti/claim/tool_platform": {
"name": "Geoff-Test",
"contact_email": "",
"description": "",
"url": "",
"product_family_code": "",
"version": "1.0",
"guid": 1303
},
"https://purl.imsglobal.org/spec/lti-dl/claim/deep_linking_settings": {
"accept_types": [
"link",
"file",
"html",
"ltiResourceLink",
"image"
],
"accept_media_types": "image/*,text/html",
"accept_presentation_document_targets": [
"iframe",
"window",
"embed"
],
"accept_multiple": true,
"auto_create": true,
"title": "This is the default title",
"text": "This is the default text",
"data": "Some random opaque data that MUST be sent back",
"deep_link_return_url": "https://lti-ri.imsglobal.org/platforms/1303/contexts/13272/deep_links"
},
"iss": "https://lti-ri.imsglobal.org",
"aud": "123456",
"iat": 1600832904,
"exp": 1600833204,
"sub": "5c0cab7af4fe942def14",
"nonce": "313fa1669046f33954f0f905fb4d7a59499864f541e740209d93572dd141f8f2",
"https://purl.imsglobal.org/spec/lti/claim/version": "1.3.0",
"locale": "en-US",
"https://purl.imsglobal.org/spec/lti/claim/launch_presentation": {
"document_target": "iframe",
"height": 320,
"width": 240
},
"https://www.example.com/extension": {
"color": "violet"
},
"https://purl.imsglobal.org/spec/lti/claim/custom": {
"myCustomValue": "123"
},
"https://purl.imsglobal.org/spec/lti/claim/target_link_uri": ""
}

And I can validate that my application found it to be missing.

Additionally, when setting up the platform it asks for the audience, however, that field actually fills out the issuer claim - seems confusing?

Thanks!