Community Help

ImreKinnunen · ‎04-25-2023

I'm working on assignment grading external tool for Canvas and got stuck when trying to access the LTI API.

The end goal is to save the student's result from the external tool in Canvas. Trying to achieve this with line items / LTI 1.3 Assignment and Grading Services.

After completing the OAuth2 Client Credentials Grant, the API does not accept my access_token.

When sending a get request to https://canvas.example.com/api/lti/courses/7264/line_items

with the access_token as a bearer I'm getting a response "Invalid access token format", even though the token is fresh and works with the api routes in this format https://canvas.example.com/api/v1 .

Strangely, when I enter a JWT id_token (sent to my by canvas via the JWT authentication method) as a bearer for the same request the error is no longer about the token format, the message returned is "Access token invalid - signature likely incorrect". However, the api documentation states that Oauth2 access_tokens, not id_tokens should be used with AGS.

Thank you for any tips! Please let know if you need additional information.

ColinMurtaugh · ‎05-02-2023

Are you sure that you used "grant_type=client_credentials" when you requested the token? If the token you have works with the Canvas API (as opposed to the LTI Advantage Services API), then it sounds like it was requested with "grant_type=code" or "grant_type=refresh_token" instead.

--Colin

View solution in original post

PraveenR · ‎05-02-2023

@ImreKinnunen I'm too getting this same error. And could you provide us with the details on how did you do the "OAuth2" openid workflow?

ColinMurtaugh · ‎05-02-2023

Are you sure that you used "grant_type=client_credentials" when you requested the token? If the token you have works with the Canvas API (as opposed to the LTI Advantage Services API), then it sounds like it was requested with "grant_type=code" or "grant_type=refresh_token" instead.

--Colin

PraveenR · ‎05-02-2023

No @ColinMurtaugh

What we're doing is to upload the score to the gradebook assignment using the below API,

/api/lti/courses/:course_id/line_items/:line_item_id/scores

We manually generated a access token from canvas settings page. When we call the API with that access token we are getting,

{

"errors": {

"type": "unauthorized",

"message": "Invalid access token format"

}

We really wanted to know how to upload the score to the gradebook. When student lauches the quiz we only get the ID_TOKEN back so we couldn't find a way to upload?

ColinMurtaugh · ‎05-02-2023

@PraveenR wrote:

We manually generated a access token from canvas settings page.

Yeah - this will only work for calling the Canvas API, not LTI Advantage Services APIs. To call endpoints that start with "/api/lti/" you will need to follow the instructions on Accessing LTI Advantage Services. In particular, you will need to request an LTI access token using the client_credentials grant. All of this is tricky to get right; I would highly recommend seeking out an LTI 1.3 library if one exists for the language you are using.

--Colin

PraveenR · ‎05-03-2023

@ColinMurtaugh

When we hit the login/oauth2/token with grant_type as "client_credentials" we are getting the following error,

{"error":"invalid_scope","error_description":"A requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. The following scopes were requested, but not granted: https://purl.imsglobal.org/spec/lti-ags/lineitem"}

ColinMurtaugh · ‎05-03-2023

It's hard to know what the problem is without seeing more of the request details, but have you granted access to any of the LTI Advantage services for this key? In the Canvas admin UI, in the details for your LTI key, you will need to enable at least some of these services:

ImreKinnunen · ‎05-05-2023

Thank you for answering! I was indeed using "grant_type=authorization_code", and that's why the LTI Advantage API wasn't working.
I will try an implementation for "grant_type=client_credentials" and post results here @PraveenR

ImreKinnunen · ‎05-11-2023

@PraveenR turns out you have to define the desired scopes in the client credentials grant request like so:

'scope' => 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly https://purl.imsglobal.org/spec/lti-ags/scope/score https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly',

hope this helps

eggei · ‎12-20-2023

Hello,

I am running into the same error.

When I tests my tool with IMS reference platform, everything works but when I try it from Canvas, it fails with this error. I am stuck and I have no idea about how to debug this. Can someone help?

Details:

This is my request:

# Send request to get access token
response = HTTParty.post(
  url,
  headers: {
    'Content-Type' => 'application/x-www-form-urlencoded',
    'Accept' => 'application/json;charset=UTF-8'
  },
  body: URI.encode_www_form(
    grant_type: 'client_credentials',
    client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
    client_assertion: 'eyJraWQiOiJreXJvbi1sZWFybmluZyIsImFsZyI6IlJTMjU2In0.eyJpc3MiOiIyNDk4NTAwMDAwMDAwMDAwMDUiLCJzdWIiOiIyNDk4NTAwMDAwMDAwMDAwMDUiLCJhdWQiOiJodHRwczovL2NhbnZhcy5pbnN0cnVjdHVyZS5jb20vbG9naW4vb2F1dGgyL3Rva2VuIiwiaWF0IjoxNzAzMTA4NTc2LCJqdGkiOiI3OTNkZmYxMy04YjMxLTQzYjktYTFjZS05Yjc2MWI4NjAxMzMiLCJleHAiOjE3MDMxMTIxNzZ9.okSdCC1bE2A0FIUkWf8GhUQIvsX0aUUUd6cVPjfsrYQm-X7qHLm6QKu1K9SNI0obY8T-KJaYHHIkxDLPBfuimFu0VT4TieTfNbv8Q9CqRUIFhlNqJCO9fezWfDcjtNJ0MaPhjm1WQ57g5tLjRleiW9aQmfnK6GeSiLBEuqDxJHX-ef72GaKUjWaVzHrSs9cTTuiKHg7lvadMt6Zpx9FmLKMyiQ7vJRE5UsEZrxIce5haNQG9XLIMyxva717NviHAkavXfZ1xzhRz20KO34GziyD0dGRMeMY27YiD9Pv4t5Sxsy3-ojv_sBiTXJlpyMY1CLV8mNcAEEowCjwTKLNt-A',
    scope: 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem https://purl.imsglobal.org/spec/lti-ags/scope/result/read'
  )
)

This is the body of the JWT:

Confirmed that `iss` and `sub` values are indeed the Developer Key I created

{
"kid": "3OiWbsTpC4edFoJ",
"alg": "RS256"
}

{
"iss": "249850000000000005",
"sub": "249850000000000005",
"aud": "https://canvas.instructure.com/login/oauth2/token",
"iat": 1703108576,
"jti": "793dff13-8b31-43b9-a1ce-9b761b860133",
"exp": 1703112176
}

And my JWKS URL returns exactly this:

{"keys":[{"kid":"3OiWbsTpC4edFoJ","kty":"RSA","alg":"RS256","use":"sig","e":"AQAB","n":"xdEkWy-P6btIQIBdddlcgjD5pdubB2gRlkMlFBVhSedcsUkX4OhHKmGFElFVNIcGeQjh2aO8MIuvlWegLLNHJtVB29mv-zJiCVNJ2a-_ecWVRPeyVMfkOJJHopWSv0tXTsKlRpm4lN0HA-J13Wd001Cbw67O5Ibm4v5ZgqWlwIPF1bpBp9VlLOG8BdEXSLnso5zoaW4Pv4UD4c0ogR0DwXzmVN-wxSMdB_KDfJ30UXo2MZVHQCDSXFbS4uuvQKlgafBPGCzsS7lnbvABrg9ORNEUPENhb8lu_UmKRLRzpCokCJqX1HtLgTEiteBVgxmQAmIQ3EHL_4rNCyBKRgZONw"}]}

This is the error message I get when my LTI tool application sends a request to Canvas to get an access token:

POST https://canvas.instructure.com/login/oauth2/token

{"error":"invalid_request","error_description":"JWS signature invalid."}

AGS Invalid access token format/ Access token invalid

access tokens

API

External Tools & Apps

external tools submissions

id token

Details:

How to get LTI 1.3 Launch Payload from Authenticat...

SpeedGrader: Comment Box, Predictive Spelling Corr...

Subscribe App to Push Notifications

LTI 1.3 - Will this legacy claim "lti11_legacy_use...

Canvas selfhost cannot add answer to quizzes using...

How to get LTI 1.3 Launch Payload from Authenticat...

SpeedGrader: Comment Box, Predictive Spelling Corr...

How to Re-send to LTI submissions with Python canv...

Retrieve Quiz Question as Student

Help with OAuth for a new web app

You're signed out

AGS Invalid access token format/ Access token invalid

Details:

Community Help

View our top guides and resources: