Degraded AWS performance is currently impacting some Canvas users in the North American region. Check Canvas Status for updates.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SamStephens
Community Participant

Help with LTI Authorization Header for Grade Passback

Jump to solution

I've been working with an LTI app that should be able to pass grades back to the LMS.

I'm using curl in PHP to pass the POST request back to Canvas. I went through the steps to generate the authorization header, but I keep getting an "Invalid authorization header" response.

I'm not sure how to best troubleshoot this error. Does it come up only with the header isn't formatted correctly, or could it be that my signature or something else isn't generating properly?

Below is the header information spit out by the curl info, mildly redacted:

POST /api/lti/v1/tools/555/grade_passback HTTP/2
Host: my.host.com
accept: */*
authorization: OAuth realm="", oauth_consumer_key="12345", oauth_signature_method="HMAC-SHA1", oauth_signature="IaocPBad0I8YRLIiOgPRRy9ayKY%3D", oauth_timestamp="1607615826", oauth_nonce="1607615826", oauth_version="1.0", oauth_body_hash="d357c33dc75166fc98bda47997477ddf651e4bff"
content-type: application/xml
content-length: 817

 

Labels (4)
0 Kudos
1 Solution

Accepted Solutions
svickers2
Community Participant

Have you checked that your signature is correct?  (For example, use a page like the one at https://lti.tools/oauth to check the calculation.)  If that is correct, has your nonce value been used before?  Or double-check the body hash.

View solution in original post

7 Replies
svickers2
Community Participant

Have you checked that your signature is correct?  (For example, use a page like the one at https://lti.tools/oauth to check the calculation.)  If that is correct, has your nonce value been used before?  Or double-check the body hash.

View solution in original post

SamStephens
Community Participant

Thanks for the suggestions. It turns out my signature wasn't generating properly. I got that fixed, and I'm getting XML back.

I keep getting "Request could not be handled. ¯\_(ツ)_/¯". I know this isn't the same problem as the original question, but do you know of any documentation where I can get more information on this message?

SamStephens
Community Participant

I found the issue with the XML I was sending.

Thanks again for pointing me in the right troubleshooting direction.

mindcycle
Community Participant

Question here -- if the signature is not correct there should be no XML returned, correct? I am troubleshooting an LTI passback error, but since I am usually getting other errors back I am thinking OAuth is not this issue.

SamStephens
Community Participant

In my experience getting this to work, I didn't get any XML back until the signature was correct.

mindcycle
Community Participant

@svickers2 any chance you can take a look at this and share your thoughts?

svickers2
Community Participant

I think all requests should receive an XML response.  The imsx_statusInfo section is used to indicate the success or failure of the operation to the sender.  The key paragraph of the spec is:

See “Table A1.2 Interpretation of the ‘CodeMajor/severity’ matrix” from IMS General Web Services WSDL Binding Guidelines [GWS-10] for further details on header values for 'unsupported' or 'failure' responses.