The Solution for Third-Party Cookies in LTI 1.3 Has Arrived

Mary Gwozdz,
Software Engineer

1edtech_logoThe 1EdTech (formerly IMS Global) Learning Tool Interoperability (LTI) standard’s latest version (LTI 1.3) has become the go-to method for integrating learning applications with Learning Management Systems (LMSs) such as Canvas, Blackboard, D2L Brightspace, Moodle, and Sakai. The LTI 1.3 Core specification outlines how to achieve seamless single sign-on (SSO) from an LMS into a learning application. In addition to the LTI 1.3 Core specification, LTI 1.3 also has several LTI Advantage specifications, which allow learning tools to fetch the entire class roster adhoc from the LMS (via the LTI Advantage Names & Roles Provisioning Service), post grades to the LMSs (via the LTI Advantage Assignments & Grades Service), and offer a custom user interface for instructors to insert links to their learning content directly into the LMS (LTI Advantage Deep Linking).

Unfortunately, as there has been a privacy move to block third-party cookies to prevent advertisers from tracking users, these integration standards have been caught in the crossfire. A third-party cookie is a cookie that is set by an application, such as a learning tool or an advertisement, running within an iframe of a parent application, such as an LMS or ecommerce website. Both the original LTI 1.3 Core and LTI Advantage Deep Linking specifications relied on the use of third-party cookies in order to complete the necessary security handshake for users to SSO into the learning tool’s user interface from within an iframe inside the LMS, without opening the tool in a new tab. Opening the tool in a new tab has long been the recommended workaround for this issue because it allows the learning tool to set first-party cookies to complete the SSO process instead of third-party cookies, circumventing their blockage. However, it is not possible to open LTI Advantage Deep Linking content selection menus in a new tab since they must always open within an iframe, and for many applications, users suffer a poorer user experience from going to a new tab.

Nonetheless, GDPR has cited third-party cookies as a privacy risk and has been pushing all browsers to block them. Safari was the first browser to block third-party cookies, which has already led to a great uptick in support cases regarding users reaching an error page when they try to click on LTI links within their LMS instead of being seamlessly presented with the application. As the other browsers follow suit to comply, unless LTI applications are prepared to stop using LTI Advantage Deep Linking and switch to opening in a new tab, instructors and students are at risk of not being able to access their favorite applications from within their LMS.

Luckily, 1EdTech has been aware of this looming issue for quite some time and has devised 3 new specifications to allow learning tools and LMSs to circumvent the usage of third-party cookies during LTI 1.3 Core resource link launches, as well as Deep Linking content picker launches. Within the past couple of months, 1EdTech has finally released these specifications to its members so they can begin implementing it in both tools and LMSs, and within the next couple of weeks, they are expected to become accessible to the public.

The LTI Third-Party Cookie Solution specifications are available to 1EdTech members here:

The solution consists of the LMS allowing the tool to use a javascript postMessage to access an additional iframe specifically for shared storage between the tool and LMS. These specifications also include a capabilities endpoint hosted by the LMS, which indicates to tools that it supports this additional iframe for shared storage, among other LTI functionalities. 1EdTech took great care to ensure that this solution maintained the high standards of security that LTI 1.3 is known for, ensuring that neither LTI Core resource link launches or Deep Linking content picker launches can be spoofed on behalf of a user in another browser. A proof of concept for these specifications has been developed by Turnitin, Blackboard, D2L Brightspace, and others as the EdTech community rushes to ensure that learners don’t lose access to their products while maintaining the best user experience possible. The goal is to solicit implementation feedback through the current Candidate phase, and to plan for subsequent updates within the 1EdTech LTI certification tooling to include tests for this solution.

If you are an institution or school district that uses LTI tools, check with your vendor to see what plans they have for incorporating this new solution. If you are a tool or LMS vendor and you don’t have time to review all of these specifications, or don’t have time to implement this fix for all of the learners and instructors who rely on your learning tool or LMS, Unicon can help. Additionally, if you’re just getting started with LTI and are looking for some guidance on how to cut through the weeds of all these specifications to plan for and execute a solution that works for your needs, please reach out to us!

Mary Gwozdz

Mary Gwozdz

Software Engineer
Mary Gwozdz is a Software Engineer who has been with Unicon since 2017. While at Unicon, Ms. Gwozdz has impacted numerous learners by designing and developing software solutions for the California Community Colleges (CCC) Applications, Cisco Networking Academy, Lumen Learning, and others as well as assisting with SIS integrations to Instructure products such as Canvas. Ms. Gwozdz specializes in the LTI (Learning Tool Interoperability) specification from 1EdTech and is also knowledgeable in AWS architecture, Spring Boot REST web services, and other 1EdTech specifications such as Common Cartridge and OneRoster.
Top