Your Community is getting an upgrade!
Read about our partnership with Higher Logic and how we will build the next generation of the Instructure Community.
Found this content helpful? Log in or sign up to leave a like!
I'm working on assignment grading external tool for Canvas and got stuck when trying to access the LTI API.
The end goal is to save the student's result from the external tool in Canvas. Trying to achieve this with line items / LTI 1.3 Assignment and Grading Services.
After completing the OAuth2 Client Credentials Grant, the API does not accept my access_token.
When sending a get request to https://canvas.example.com/api/lti/courses/7264/line_items
with the access_token as a bearer I'm getting a response "Invalid access token format", even though the token is fresh and works with the api routes in this format https://canvas.example.com/api/v1 .
Strangely, when I enter a JWT id_token (sent to my by canvas via the JWT authentication method) as a bearer for the same request the error is no longer about the token format, the message returned is "Access token invalid - signature likely incorrect". However, the api documentation states that Oauth2 access_tokens, not id_tokens should be used with AGS.
Thank you for any tips! Please let know if you need additional information.
Solved! Go to Solution.
Are you sure that you used "grant_type=client_credentials" when you requested the token? If the token you have works with the Canvas API (as opposed to the LTI Advantage Services API), then it sounds like it was requested with "grant_type=code" or "grant_type=refresh_token" instead.
--Colin
@ImreKinnunen I'm too getting this same error. And could you provide us with the details on how did you do the "OAuth2" openid workflow?
Are you sure that you used "grant_type=client_credentials" when you requested the token? If the token you have works with the Canvas API (as opposed to the LTI Advantage Services API), then it sounds like it was requested with "grant_type=code" or "grant_type=refresh_token" instead.
--Colin
No @ColinMurtaugh
What we're doing is to upload the score to the gradebook assignment using the below API,
/api/lti/courses/:course_id/line_items/:line_item_id/scores
We manually generated a access token from canvas settings page. When we call the API with that access token we are getting,
@PraveenR wrote:
We manually generated a access token from canvas settings page.
Yeah - this will only work for calling the Canvas API, not LTI Advantage Services APIs. To call endpoints that start with "/api/lti/" you will need to follow the instructions on Accessing LTI Advantage Services. In particular, you will need to request an LTI access token using the client_credentials grant. All of this is tricky to get right; I would highly recommend seeking out an LTI 1.3 library if one exists for the language you are using.
--Colin
@ColinMurtaugh
When we hit the login/oauth2/token with grant_type as "client_credentials" we are getting the following error,
{"error":"invalid_scope","error_description":"A requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. The following scopes were requested, but not granted: https://purl.imsglobal.org/spec/lti-ags/lineitem"}
It's hard to know what the problem is without seeing more of the request details, but have you granted access to any of the LTI Advantage services for this key? In the Canvas admin UI, in the details for your LTI key, you will need to enable at least some of these services:
Thank you for answering! I was indeed using "grant_type=authorization_code", and that's why the LTI Advantage API wasn't working.
I will try an implementation for "grant_type=client_credentials" and post results here @PraveenR
@PraveenR turns out you have to define the desired scopes in the client credentials grant request like so:
'scope' => 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly https://purl.imsglobal.org/spec/lti-ags/scope/score https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly',
hope this helps
Hello,
I am running into the same error.
When I tests my tool with IMS reference platform, everything works but when I try it from Canvas, it fails with this error. I am stuck and I have no idea about how to debug this. Can someone help?
This is my request:
# Send request to get access token
response = HTTParty.post(
url,
headers: {
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept' => 'application/json;charset=UTF-8'
},
body: URI.encode_www_form(
grant_type: 'client_credentials',
client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
client_assertion: 'eyJraWQiOiJreXJvbi1sZWFybmluZyIsImFsZyI6IlJTMjU2In0.eyJpc3MiOiIyNDk4NTAwMDAwMDAwMDAwMDUiLCJzdWIiOiIyNDk4NTAwMDAwMDAwMDAwMDUiLCJhdWQiOiJodHRwczovL2NhbnZhcy5pbnN0cnVjdHVyZS5jb20vbG9naW4vb2F1dGgyL3Rva2VuIiwiaWF0IjoxNzAzMTA4NTc2LCJqdGkiOiI3OTNkZmYxMy04YjMxLTQzYjktYTFjZS05Yjc2MWI4NjAxMzMiLCJleHAiOjE3MDMxMTIxNzZ9.okSdCC1bE2A0FIUkWf8GhUQIvsX0aUUUd6cVPjfsrYQm-X7qHLm6QKu1K9SNI0obY8T-KJaYHHIkxDLPBfuimFu0VT4TieTfNbv8Q9CqRUIFhlNqJCO9fezWfDcjtNJ0MaPhjm1WQ57g5tLjRleiW9aQmfnK6GeSiLBEuqDxJHX-ef72GaKUjWaVzHrSs9cTTuiKHg7lvadMt6Zpx9FmLKMyiQ7vJRE5UsEZrxIce5haNQG9XLIMyxva717NviHAkavXfZ1xzhRz20KO34GziyD0dGRMeMY27YiD9Pv4t5Sxsy3-ojv_sBiTXJlpyMY1CLV8mNcAEEowCjwTKLNt-A',
scope: 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem https://purl.imsglobal.org/spec/lti-ags/scope/result/read'
)
)
This is the body of the JWT:
Confirmed that `iss` and `sub` values are indeed the Developer Key I created
{
"kid": "3OiWbsTpC4edFoJ",
"alg": "RS256"
}
{
"iss": "249850000000000005",
"sub": "249850000000000005",
"aud": "https://canvas.instructure.com/login/oauth2/token",
"iat": 1703108576,
"jti": "793dff13-8b31-43b9-a1ce-9b761b860133",
"exp": 1703112176
}
And my JWKS URL returns exactly this:
{"keys":[{"kid":"3OiWbsTpC4edFoJ","kty":"RSA","alg":"RS256","use":"sig","e":"AQAB","n":"xdEkWy-P6btIQIBdddlcgjD5pdubB2gRlkMlFBVhSedcsUkX4OhHKmGFElFVNIcGeQjh2aO8MIuvlWegLLNHJtVB29mv-zJiCVNJ2a-_ecWVRPeyVMfkOJJHopWSv0tXTsKlRpm4lN0HA-J13Wd001Cbw67O5Ibm4v5ZgqWlwIPF1bpBp9VlLOG8BdEXSLnso5zoaW4Pv4UD4c0ogR0DwXzmVN-wxSMdB_KDfJ30UXo2MZVHQCDSXFbS4uuvQKlgafBPGCzsS7lnbvABrg9ORNEUPENhb8lu_UmKRLRzpCokCJqX1HtLgTEiteBVgxmQAmIQ3EHL_4rNCyBKRgZONw"}]}
This is the error message I get when my LTI tool application sends a request to Canvas to get an access token:
POST https://canvas.instructure.com/login/oauth2/token
{"error":"invalid_request","error_description":"JWS signature invalid."}
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign InTo interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign In