fix: Multiple bug fixes (#643)

* fix: ags result endpoint to work with or without ending slash

Fixes: #628

* fix: allow blank comment in scores api endpoint

Fixes: #637

* fix: use correct deep linking launch uri as target_link_uri

* fix: lint issues

* fix: use correct key-secret pair for lti 1.1

* fix: tests

* chore: bump version and update changelog

Author: navinkarkera

CHANGELOG.rst

@@ -16,6 +16,14 @@ Please See the `releases tab <https://github.com/openedx/xblock-lti-consumer/rel
 Unreleased
 ~~~~~~~~~~
 
+11.0.1 - 2026-04-23
+--------------------
+* Fix LTI 1.3 deep linking `target_link_uri` handling in both preflight and launch token generation.
+* Fix AGS results endpoint/serializer URL generation for optional `user_id`, including trailing-slash compatibility.
+* Allow AGS score `comment` to be blank and improve related API test coverage.
+* Use `get_lti_consumer()` OAuth credentials for LTI 1.1 signature/logging paths and align LTI 1.1 errors with shared `LtiError`.
+* Minor internal cleanup: public `get_lti_consumer()` rename, launch URL typing/casting, and fallback to block `lti_version` when config version is missing.
+
 11.0.0 - 2026-04-20
 --------------------
 * Split LTI 1.3 Configuration into Passport Model

lti_consumer/__init__.py

@@ -4,4 +4,4 @@
 from .apps import LTIConsumerApp
 from .lti_xblock import LtiConsumerXBlock
 
-__version__ = '11.0.0'
+__version__ = '11.0.1'

lti_consumer/api.py

@@ -107,7 +107,8 @@ def _get_or_create_local_lti_config(lti_version, block, config_store=LtiConfigur
     updates = {
         'config_store': config_store,
         'external_id': block.external_config,
-        'version': lti_version,
+        # fallback on block lti_version if lti_version is None
+        'version': lti_version or block.lti_version,
     }
     if passport:
         updates['lti_1p3_passport'] = passport

lti_consumer/lti_1p1/exceptions.py

@@ -1,9 +1,10 @@
 """
 Exceptions for the LTI1.1 Consumer.
 """
+from lti_consumer.exceptions import LtiError
 
 
-class Lti1p1Error(Exception):
+class Lti1p1Error(LtiError):
     """
     General error class for LTI1.1 Consumer usage.
     """

lti_consumer/lti_1p3/consumer.py

@@ -77,6 +77,15 @@ def __init__(
         # Extra claims - used by LTI Advantage
         self.extra_claims = {}
 
+    def _get_target_link_uri(self, launch_data):  # pylint: disable=unused-argument
+        """
+        Return the target_link_uri to use for the provided launch data.
+
+        Subclasses can override this to customize the target link selection for
+        different message types.
+        """
+        return self.launch_url
+
     @staticmethod
     def _get_user_roles(role):
         """
@@ -125,12 +134,14 @@ def prepare_preflight_url(
 
         oidc_url = self.oidc_url + "?"
 
+        target_link_uri = self._get_target_link_uri(launch_data)
+
         login_hint = user_id
         parameters = {
             "iss": self.iss,
             "client_id": self.client_id,
             "lti_deployment_id": self.deployment_id,
-            "target_link_uri": self.launch_url,
+            "target_link_uri": target_link_uri,
             "login_hint": login_hint,
             "lti_message_hint": launch_data_key,
         }
@@ -302,6 +313,7 @@ def set_custom_parameters(
     def get_lti_launch_message(
             self,
             include_extra_claims=True,
+            target_link_uri=None,
     ):
         """
         Build LTI message from class parameters
@@ -312,6 +324,8 @@ def get_lti_launch_message(
         # Start from base message
         lti_message = LTI_BASE_MESSAGE.copy()
 
+        target_link_uri = target_link_uri or self.launch_url
+
         # Add base parameters
         lti_message.update({
             # Issuer
@@ -329,7 +343,7 @@ def get_lti_launch_message(
             # Target Link URI: actual endpoint for the LTI resource to display
             # MUST be the same value as the target_link_uri passed by the platform in the OIDC login request
             # http://www.imsglobal.org/spec/lti/v1p3/#target-link-uri
-            "https://purl.imsglobal.org/spec/lti/claim/target_link_uri": self.launch_url,
+            "https://purl.imsglobal.org/spec/lti/claim/target_link_uri": target_link_uri,
         })
 
         # Check if user data is set, then append it to lti message
@@ -609,6 +623,19 @@ def lti_dl_enabled(self):
         else:
             return False
 
+    def _get_target_link_uri(self, launch_data):
+        """
+        Use the deep linking launch URL for deep linking requests.
+        """
+        if (
+            getattr(self, 'dl', None) and
+            launch_data and
+            getattr(launch_data, 'message_type', None) == 'LtiDeepLinkingRequest'
+        ):
+            return self.dl.deep_linking_launch_url
+
+        return super()._get_target_link_uri(launch_data)
+
     def enable_ags(
         self,
         lineitems_url,
@@ -663,12 +690,14 @@ def generate_launch_request(
 
         # Check if Deep Linking is enabled and that this is a Deep Link Launch
         if self.dl and launch_data.message_type == "LtiDeepLinkingRequest":
+            target_link_uri = self._get_target_link_uri(launch_data)
             # Validate preflight response
             self._validate_preflight_response(preflight_response)
 
             # Get LTI Launch Message
             lti_launch_message = self.get_lti_launch_message(
                 include_extra_claims=False,
+                target_link_uri=target_link_uri,
             )
 
             # Update message type to LtiDeepLinkingRequest,

lti_consumer/lti_1p3/extensions/rest_framework/serializers.py

@@ -125,7 +125,7 @@ class LtiAgsScoreSerializer(serializers.ModelSerializer):
     timestamp = serializers.DateTimeField(input_formats=[ISO_8601], format=ISO_8601, default_timezone=timezone.utc)
     scoreGiven = serializers.FloatField(source='score_given', required=False, allow_null=True, default=None)
     scoreMaximum = serializers.FloatField(source='score_maximum', required=False, allow_null=True, default=None)
-    comment = serializers.CharField(required=False, allow_null=True)
+    comment = serializers.CharField(required=False, allow_null=True, allow_blank=True)
     activityProgress = serializers.CharField(source='activity_progress')
     gradingProgress = serializers.CharField(source='grading_progress')
     userId = serializers.CharField(source='user_id')
@@ -193,14 +193,19 @@ class LtiAgsResultSerializer(serializers.ModelSerializer):
     comment = serializers.CharField()
 
     def get_id(self, obj):
+        """
+        Return result URL for score. Include user_id when score scoped to learner.
+        """
         request = self.context.get('request')
+        kwargs = {
+            'lti_config_id': obj.line_item.lti_configuration.id,
+            'pk': obj.line_item.pk,
+        }
+        if obj.user_id:
+            kwargs['user_id'] = obj.user_id
         return reverse(
             'lti_consumer:lti-ags-view-results',
-            kwargs={
-                'lti_config_id': obj.line_item.lti_configuration.id,
-                'pk': obj.line_item.pk,
-                'user_id': obj.user_id,
-            },
+            kwargs=kwargs,
             request=request,
         )
 

lti_consumer/lti_1p3/tests/test_consumer.py

@@ -28,7 +28,8 @@
 ISS = "http://test-platform.example/"
 OIDC_URL = "http://test-platform/oidc"
 LAUNCH_URL = "http://test-platform/launch"
-REDIRECT_URIS = [LAUNCH_URL]
+DEEP_LINK_LAUNCH_URL = "http://test-platform/deep_link_launch"
+REDIRECT_URIS = [LAUNCH_URL, DEEP_LINK_LAUNCH_URL]
 CLIENT_ID = "1"
 DEPLOYMENT_ID = "1"
 NONCE = "1234"
@@ -739,14 +740,14 @@ def _setup_deep_linking(self):
         """
         Set's up deep linking class in LTI consumer.
         """
-        self.lti_consumer.enable_deep_linking("launch-url", "return-url")
+        self.lti_consumer.enable_deep_linking(DEEP_LINK_LAUNCH_URL, "return-url")
 
         lti_message_hint = self._setup_lti_message_hint()
 
         # Set LTI Consumer parameters
         self.preflight_response = {
             "client_id": CLIENT_ID,
-            "redirect_uri": LAUNCH_URL,
+            "redirect_uri": DEEP_LINK_LAUNCH_URL,
             "nonce": NONCE,
             "state": STATE,
             "lti_message_hint": lti_message_hint,
@@ -819,6 +820,40 @@ def test_deep_linking_enabled_launch_request(self):
             "return-url"
         )
 
+    def test_deep_linking_preflight_uses_deep_link_launch_url(self):
+        """
+        Ensure deep linking launches send the deep linking launch URL as target_link_uri during login initiation.
+        """
+        self.lti_consumer.enable_deep_linking(DEEP_LINK_LAUNCH_URL, "return-url")
+        launch_data = Lti1p3LaunchData(
+            user_id="1",
+            user_role="student",
+            config_id="1",
+            resource_link_id="resource_link_id",
+            message_type="LtiDeepLinkingRequest",
+        )
+
+        preflight_request_data = self.lti_consumer.prepare_preflight_url(launch_data)
+        parameters = parse_qs(urlparse(preflight_request_data).query)
+
+        self.assertEqual(parameters['target_link_uri'][0], DEEP_LINK_LAUNCH_URL)
+
+    def test_deep_linking_launch_request_sets_target_link_uri(self):
+        """
+        Ensure the ID token for deep linking launches uses the deep linking launch URL as target_link_uri.
+        """
+        self._setup_deep_linking()
+
+        token = self.lti_consumer.generate_launch_request(
+            self.preflight_response,
+        )['id_token']
+
+        decoded_token = self.lti_consumer.key_handler.validate_and_decode(token)
+        self.assertEqual(
+            decoded_token['https://purl.imsglobal.org/spec/lti/claim/target_link_uri'],
+            DEEP_LINK_LAUNCH_URL,
+        )
+
     def test_deep_linking_token_decode_no_dl(self):
         """
         Check that trying to run the Deep Linking decoding fails if service is not set up.

lti_consumer/lti_xblock.py

@@ -1109,7 +1109,7 @@ def is_past_due(self):
             close_date = due_date
         return close_date is not None and timezone.now() > close_date
 
-    def _get_lti_consumer(self):
+    def get_lti_consumer(self):
         """
         Returns a preconfigured LTI consumer depending on the value.
 
@@ -1282,7 +1282,7 @@ def lti_launch_handler(self, request, suffix=''):  # pylint: disable=unused-argu
         Returns:
             webob.response: HTML LTI launch form
         """
-        lti_consumer = self._get_lti_consumer()
+        lti_consumer = self.get_lti_consumer()
 
         # Occassionally, users try to do an LTI launch while they are unauthenticated. It is not known why this occurs.
         # Sometimes, it is due to a web crawlers; other times, it is due to actual users of the platform. Regardless,
@@ -1385,7 +1385,7 @@ def lti_1p3_access_token(self, request, suffix=''):  # pylint: disable=unused-ar
 
         # Asserting that the consumer can be created. This makes sure that the LtiConfiguration
         # object exists before calling the Django View
-        assert self._get_lti_consumer()
+        assert self.get_lti_consumer()
         # Runtime import because this can only be run in the LMS/Studio Django
         # environments. Importing the views on the top level will cause RuntimeErorr
         from lti_consumer.plugin.views import access_token_endpoint  # pylint: disable=import-outside-toplevel
@@ -1441,12 +1441,11 @@ def result_service_handler(self, request, suffix=''):
         Returns:
             webob.response:  response to this request.  See above for details.
         """
-        lti_consumer = self._get_lti_consumer()
+        lti_consumer = self.get_lti_consumer()
         lti_consumer.set_outcome_service_url(self.outcome_service_url)
 
         if settings.DEBUG:
-            lti_provider_key, lti_provider_secret = self.lti_provider_key_secret
-            log_authorization_header(request, lti_provider_key, lti_provider_secret)
+            log_authorization_header(request, lti_consumer.oauth_key, lti_consumer.oauth_secret)
 
         if not self.accept_grades_past_due and self.is_past_due:
             return Response(status=404)  # have to do 404 due to spec, but 400 is better, with error msg in body
@@ -1601,11 +1600,11 @@ def set_user_module_score(self, user, score, max_score, comment=''):
         self.module_score = scaled_score
         self.score_comment = comment
 
-    def _get_lti_launch_url(self, consumer):
+    def _get_lti_launch_url(self, consumer) -> str:
         """
         Return the LTI launch URL.
         """
-        launch_url = self.launch_url
+        launch_url = str(self.launch_url)
 
         # The lti_launch_url property only exists on the LtiConsumer1p1. The LtiConsumer1p3 does not have an
         # attribute with this name, so ensure that we're accessing it on the appropriate consumer class.
@@ -1758,7 +1757,7 @@ def _get_context_for_template(self):
         # Don't pull from the Django database unless the config_type is one that stores the LTI configuration in the
         # database.
         if self.config_type in ("database", "external"):
-            lti_consumer = self._get_lti_consumer()
+            lti_consumer = self.get_lti_consumer()
 
         launch_url = self._get_lti_launch_url(lti_consumer)
         lti_block_launch_handler = self._get_lti_block_launch_handler()

lti_consumer/outcomes.py

@@ -6,10 +6,12 @@
 """
 
 import logging
-from xml.sax.saxutils import escape
 from urllib.parse import unquote
+from xml.sax.saxutils import escape
 
+from django.conf import settings
 from lxml import etree
+
 try:
     from xblock.utils.resources import ResourceLoader
 except ModuleNotFoundError:  # For backward compatibility with releases older than Quince.
@@ -176,7 +178,13 @@ def handle_request(self, request):
             return response_xml_template.format(**failure_values)
 
         # Verify OAuth signing.
-        __, secret = self.xblock.lti_provider_key_secret
+        secret = self.xblock.get_lti_consumer().oauth_secret
+        if settings.DEBUG:
+            log.debug(
+                "[LTI]: verifying OAuth body signature for outcomes. service_url=%s request.url=%s",
+                self.xblock.outcome_service_url,
+                request.url,
+            )
         try:
             verify_oauth_body_signature(request, secret, self.xblock.outcome_service_url)
         except (ValueError, LtiError) as ex:

lti_consumer/plugin/views.py

@@ -748,7 +748,7 @@ def perform_create(self, serializer):
     @action(
         detail=True,
         methods=['GET'],
-        url_path='results/(?P<user_id>[^/.]+)?',
+        url_path=r'results(?:/(?P<user_id>[^/.]+))?/?',
         renderer_classes=[LineItemResultsRenderer],
         content_negotiation_class=IgnoreContentNegotiation,
     )