
Date Published: Apr 16,2025 Category: Planned_First_Fix_Release:Future_Reference_Learn; Product:Blackboard_Learn_MH,Blackboard_Learn_SaaS,Blackboard_Learn_Software; Version:X3900_112_0,X3900_114_0,X3900_116_0,X3900_118_0 Article No.: 000090618
Producto: Learn SaaS
Versión: SaaS
Paquetes de servicio: 3900.112.0, 3900.114.0, 3900.116.0, 3900.118.0
Descripción:
The dynamic registration for LTI in the developer portal has several compliance issues with the 1EdTech standard, including incorrect metadata (e.g., wrong issuer, missing required fields, and unsupported signing algorithms). Additionally, the registration token does not expire as expected.
Pasos para repetir:
Needs to be replicated by a Developer who can create LTI tools.
As a reference, look at the JSON exposed below:
{"issuer":"https://blackboard.com","authorization_endpoint":"https://developer.blackboard.com/api/v1/gateway/oidcauth","token_endpoint":"https://developer.blackboard.com/api/v1/gateway/oauth2/jwttoken","token_endpoint_auth_methods_supported":["private_key_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256","RS512"],"jwks_uri":"https://developer.blackboard.com/.well-known/jwks.json","registration_endpoint":"https://developer.blackboard.com/api/v1/gateway/registerLti?registrationToken=75707671-2597-43c6-8a67-58ae77da6018","scopes_supported":["openid","URL/spec/lti-gs/scope/contextgroup.readonly","URL/spec/lti-ags/scope/lineitem","URL/spec/lti-ags/scope/result.readonly","URL/spec/lti-ags/scope/score","URL/spec/lti-reg/scope/registration"],"response_types_supported":["id_token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["RS256","RS512"],"claims_supported":["sub","iss","name","given_name","family_name","nickname","picture","email","locale"],"URL/spec/lti-platform-configuration":{"product_family_code":"BlackboardLearn","messages_supported":[{"type":"LtiResourceLinkRequest"},{"type":"LtiDeepLinkingRequest"},{"type":"ContextLaunchRequest"}],"variables":[]}}
- The issuer in the Metadata exposed is https://developer.blackboard.com, instead it should be https://blackboard.com as shown by the dev portal itself in the manual configuration.
- In the claim "URL/spec/lti-platform-configuration" the "version" attribute is missing, but it is compulsory. It can be also a static string like "cloud".
- In the claim “id_token_signing_alg_values_supported” there is the wrong value “RS512”, since you currently expose only RS256 keys: https://developer.blackboard.com/.well-known/jwks.json instead in the claim "token_endpoint_auth_signing_alg_values_supported" both values are correct, since also RS512 is supported for using the LTI Services via the dedicated token
- The Registration Token should be a one-off token, or at least expire after a reasonable amount of time. Instead, the developer portal always accepts it.
Versión de destino: Future Reference