by Johannes Berg.
We're a tool provider utilizing LTI 1.3 and the intergration has been working well in the Moodle web-interface. We've just been informed about a problem when using the Moodle app (iOS) and we've tracked it down to that the state parameter is missing in the launch procedure. More specifically the expected state parameter of the authentication response is missing (https://www.imsglobal.org/spec/security/v1p0/#step-3-authentication-response). Our tool then fails because it can't do the necessary CSRF token checks for the login. What can possibly cause the mobile app to not send the state parameter?
The problem is only appearing for one of our customers, when we test it ourselves in the Moodle app it behaves a bit differently and works. In our tests it seems it always launches the activity in normal Safari outside of the app while for the customer it seems to launch in-app. We've tried different settings but we've been unable to make it launch in-app (on web we can make it launch in iframes or in a new window but this doesn't seem to have any affect on the mobile app). What is controlling if it launches in-app or with the native browser? How can we make it launch in-app to potentially be able to reproduce the problem?
Our test instance of Moodle is 4.0.1+ (Build 20220527)