by Jake Dallimore.
Just wanted to clarify that, to my knowledge, the earlier OAuth 1.0 session fixation problem you mentioned has no part to play with LTI 1.0 since LTI 1.0 doesn't involve user authorization flows. Also, at the time when LTI 1.0 arrived, OAuth 1.0a had already been released and was widely adopted anyway. If there were a problem, IMS would have included mitigation for that in the LTI spec (or an updated spec). I believe later-life LTI 1.0 and 1.1 did receive a security advisory around CSRF though, and I don't think Moodle adopted that particular update (1.1.2 and 1.0.1 - see https://www.imsglobal.org/spec/lti/security-update/v1p0#introduction-0).
Re the provider code ("Publish as LTI tool" ), this feature (LTI 1.1 publication of tools) has been clearly marked as deprecated in Moodle's UI for quite a number of Moodle versions now. We probably do need to drop that from the platform entirely in future given sites have had ample time to upgrade to 1.3 by now.
Re the provider code ("Publish as LTI tool" ), this feature (LTI 1.1 publication of tools) has been clearly marked as deprecated in Moodle's UI for quite a number of Moodle versions now. We probably do need to drop that from the platform entirely in future given sites have had ample time to upgrade to 1.3 by now.