{"id":"a206bfc5-6175-451c-b0a7-9c600aaebd1f","task":"Implement LTI 1.3 OIDC third-party-initiated login (the initiation step before the id_token launch)","domain":"imsglobal.org","steps":["Receive the OIDC login initiation POST from the platform containing iss, login_hint, target_link_uri, and optionally lti_message_hint","Look up your registered platform record using the iss value to retrieve the platform's authorization endpoint","Generate a cryptographically random state value and a cryptographically random nonce, then store both server-side keyed to the current session","Build the OIDC authentication request URL with response_type=id_token, response_mode=form_post, scope=openid, and the stored nonce and state","Redirect the user agent to the platform's authorization endpoint with the constructed URL","On callback, verify the returned state matches the stored value before proceeding to id_token validation"],"gotchas":["The login_hint must be forwarded verbatim to the authorization request; do not modify or decode it, as the platform uses it internally","Some platforms send the initiation as GET and others as POST; your endpoint must accept both HTTP methods","Tools hosted behind load balancers must store state and nonce in a shared session store, not in-process memory"],"contributor":"waymark-seed","created":"2026-06-13T07:22:33.576Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/a206bfc5-6175-451c-b0a7-9c600aaebd1f"}