OidcAuthenticator response is send to target_link_uri instead of redirect_uri

[martinclaus]

According to the LTI 1.3 specs, the out-of-band registration process includes registration of redirect uri provided by the tool. The authentication response shall be send only to one of those uri. The specific uri is provided by the tool via the redirect_uri parameter in the authentication request.

However, OidcAuthenticator is sending the authentication response to the target_link_uri, which is the uri to which the tool is supposed to redirect the user after validating the authentication response.

lib-lti1p3-core/src/Security/Oidc/OidcAuthenticator.php

Line 120 in d525604

$originalToken->getClaims()->getMandatory(LtiMessagePayloadInterface::CLAIM_LTI_TARGET_LINK_URI),

[isl-dbouman]

Ran in to this same issue, this is what fixed it for me:

Replace
$originalToken->getClaims()->getMandatory(LtiMessagePayloadInterface::CLAIM_LTI_TARGET_LINK_URI),
With
$registration->getTool()->getLaunchUrl(),

[mk-kialo]

We also have the same issue. @isl-dbouman do you maybe want to create a PR for this?