Behind the Blackboard! Issues with Dynamic Registration for LTI in the Developer Portal - Behind the Blackboard Skip Navigation
Download PDF Icon Download PDF    Print article

Issues with Dynamic Registration for LTI in the Developer Portal

Date Published: Apr 16,2025


CategoryPlanned First Fix Release:Future Reference; Product:Blackboard Learn MH,Blackboard Learn SaaS,Blackboard Learn Software; Version:3900.112.0,3900.114.0,3900.116.0,3900.118.0
Article No.: 000090618
Product:
Learn SaaS
Release:
SaaS
Service Pack(s):
3900.112.0, 3900.114.0, 3900.116.0, 3900.118.0
Description:

The dynamic registration for LTI in the developer portal has several compliance issues with the 1EdTech standard, including incorrect metadata (e.g., wrong issuer, missing required fields, and unsupported signing algorithms). Additionally, the registration token does not expire as expected. 

Steps to Repeat:

Needs to be replicated by a Developer who can create LTI tools.
As a reference, look at the JSON exposed below:

{"issuer":"https://blackboard.com","authorization_endpoint":"https://developer.blackboard.com/api/v1/gateway/oidcauth","token_endpoint":"https://developer.blackboard.com/api/v1/gateway/oauth2/jwttoken","token_endpoint_auth_methods_supported":["private_key_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256","RS512"],"jwks_uri":"https://developer.blackboard.com/.well-known/jwks.json","registration_endpoint":"https://developer.blackboard.com/api/v1/gateway/registerLti?registrationToken=75707671-2597-43c6-8a67-58ae77da6018","scopes_supported":["openid","URL/spec/lti-gs/scope/contextgroup.readonly","URL/spec/lti-ags/scope/lineitem","URL/spec/lti-ags/scope/result.readonly","URL/spec/lti-ags/scope/score","URL/spec/lti-reg/scope/registration"],"response_types_supported":["id_token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["RS256","RS512"],"claims_supported":["sub","iss","name","given_name","family_name","nickname","picture","email","locale"],"URL/spec/lti-platform-configuration":{"product_family_code":"BlackboardLearn","messages_supported":[{"type":"LtiResourceLinkRequest"},{"type":"LtiDeepLinkingRequest"},{"type":"ContextLaunchRequest"}],"variables":[]}}

  1. The issuer in the Metadata exposed is https://developer.blackboard.com, instead it should be https://blackboard.com as shown by the dev portal itself in the manual configuration.
  2. In the claim "URL/spec/lti-platform-configuration" the "version" attribute is missing, but it is compulsory. It can be also a static string like "cloud".
  3. In the claim “id_token_signing_alg_values_supported” there is the wrong value “RS512”, since you currently expose only RS256 keys: https://developer.blackboard.com/.well-known/jwks.json instead in the claim "token_endpoint_auth_signing_alg_values_supported" both values are correct, since also RS512 is supported for using the LTI Services via the dedicated token
  4. The Registration Token should be a one-off token, or at least expire after a reasonable amount of time. Instead, the developer portal always accepts it.





Target Release:

Future Reference






The information contained in the Knowledge Base was written and/or verified by Blackboard Support. It is approved for client use. Nothing in the Knowledge Base shall be deemed to modify your license in any way to any Blackboard product. If you have comments, questions, or concerns, please send an email to kb@blackboard.com. © 2025 Blackboard Inc. All rights reserved