## Canvas Connect
### New Features
- URL validation is now configured through a structured `[lti.security]`
section, with optional per-endpoint overrides for OpenID configuration,
authorization, token, JWKS, Names and Role, and registration endpoints.
- Use the new structured `[lti.security]` configuration section with
allow/deny pattern lists. Host patterns support wildcards for subdomain
matching (e.g. `*.instructure.com` matches `school.instructure.com`) and
path patterns support glob matching (e.g. `/api/lti/*`).
- Use the new `deny` configuration lists for explicitly blocking
specific hosts or paths. Deny rules are evaluated before allow rules.
- Redirect handling for fetched LTI endpoints is now validated
hop-by-hop against the configured host/path rules for that endpoint.
### Updates & Improvements
- Defaults for hosts and paths reflect the default behavior in PingPong
7.20 or earlier (`allow = ["*"]`) instead of requiring an explicit
allowlist, reducing setup friction for new deployments.
- Canvas Connect now normalizes the token endpoint before both
requesting the token and building the client assertion audience,
preventing `aud` mismatches when `http://` endpoints are upgraded to
`https://`.
### Deprecations
- The following LTI config keys are deprecated and will be removed in
the next major release (PingPong 8.0): `lti.platform_url_allowlist`,
`lti.openid_configuration_paths`, `lti.dev_http_hosts`.
- The deprecated LTI config keys have been replaced by a structured
`[lti.security]` section that supports allow/deny patterns for both
hosts and paths. The deprecated LTI config keys will continue to work
until the next major PingPong release but will emit a warning at
startup.
- New fields map as follows:
- `lti.platform_url_allowlist` ->
`lti.security.openid_configuration.hosts.allow`
- `lti.openid_configuration_paths` ->
`lti.security.openid_configuration.paths.allow`
- `lti.dev_http_hosts` -> `lti.security.allow_http_in_development`
- Existing configs using the old keys will be **automatically migrated
at startup**. A deprecation warning will be logged with migration
instructions. Update your config before the upgrading to PingPong 8.0.
- The `lti suggest-config-from-db` CLI command has been removed with no
replacement. If you relied on the CLI command to derive allowlist
entries from existing registrations, check the deprecation warnings for
migration instructions or configure `hosts.allow` manually.
### Notes
- See below for a migration example from the deprecated LTI keys setup
to the new `[lti.security]` configuration:
**Before (deprecated):**
```toml
[lti]
platform_url_allowlist = ["canvas.example.edu"]
dev_http_hosts = ["localhost", "canvas.docker"]
[lti.openid_configuration_paths]
mode = "append"
paths = ["/custom/openid-config"]
```
**After (new):**
```toml
[lti.security]
allow_http_in_development = true
[lti.security.hosts]
allow = ["canvas.example.edu", "localhost", "canvas.docker"]
deny = []
[lti.security.paths]
allow = ["*"]
deny = []
[lti.security.openid_configuration.paths]
allow = [
"/.well-known/openid-configuration",
"/.well-known/openid",
"/api/lti/security/openid-configuration",
"/custom/openid-config",
]
deny = []
```
#### Key Differences
- **`platform_url_allowlist`** now maps to the global `hosts.allow`
list, not just OpenID discovery.
- **`openid_configuration_paths`** is replaced by
`lti.security.openid_configuration.paths.allow`.
- Legacy-only configs keep the legacy default OpenID discovery paths. If
you used `mode = "append"`, merge the default paths with your custom
ones into `paths.allow`.
- **`dev_http_hosts`** is replaced by the boolean
`allow_http_in_development` (defaults to `true`). Per-host HTTP control
is no longer supported.
- Both `hosts` and `paths` now support wildcard patterns (`["*"]` allows
all).
- If both legacy and new keys are provided, the new
`lti.security.openid_configuration.*` values take precedence.
