Community

Hi Peter,

Thanks for the response. I just figured out the problem. There was a couple of things I was missing; the first thing; I didn't know that I should use all of the parameters(except oauth_signature) sent to the launch url to create the signature base. And the second thing was just an encoding issue. 

What was the issue with encoding? Did you have to change something on your code/call? I am having a similar issue but it works with a development server, but not a production server. Trying to figure out if there is an encoding issue.

Hi Jonathan,

For me, the problem was creating the signature base

To create the Signature Base:

   1- Get all of the parameters except "oauth signature" sent by Canvas with POST from the launch.

   2- I made a loop for each parameter, and encode only Key and Values, they look like        this: encodedKey=EncodedValue. I don't know which language you are using but, in c# it looks similar to this: 

   $"&{Uri.EscapeDataString(key)}={Uri.EscapeDataString(value)}

   3- Sort them alphabetically with the Key names(&Key=Value)

   4- Create a string from this list, and Encode this string one more time(the whole string).

   5- Add the string you created to "POST&{Your Launch Url}&{The string you just created}"

   

   After these, you will just create the signature with using this signature base which is the standard way. I hope this will help.

Your post was extremely helpful, but missing one crucial part: the way to generate the Key used in HMACSHA1 encoding is $"{Secret}&" where Secret is from the Key and Secret that you use to create the LTI tool in canvas. You don't have to put anything else there.

When I was researching this topic I somehow missed this and tried to put $"{Secret}&{Key}" in there, but the Key is unnecessary.

(Grain of Salt: This is using the .NET Core 3.0 library System.Security.Cryptography.)

Hey, I followed your all instruction steps, but the signatures are not getting matched.

The canvas provided signature and my signatures are totally different.

Can you please little bit elaborate with an example, hope it may help.

Thanks in Advance.

 

Thank you so much for clarifying. I'm not clear on how to set the oauth_compliant property to true. Is this something that is handled from the Canvas User Interface as an Admin Account? Thanks again.

Ok, thank you for clarifying. I think I've set the oauth_compliant field to true now. To confirm, when this field is set, would we still expect the generated hash to match a hash generated by a tool like one at http://lti.tools/oauth?

Fantastic, thank you for sharing your knowledge on this! It is appreciated!

One thing I've hit in validating LTI OAuth 1.0 signatures before is when you have a proxy in-front of your application server that handles HTTPS termination and then forwards the request onto your application server over HTTP. Unless you configure your application server to pull through the request URL from an additional HTTP header you can end up with a different signature to the one Canvas generated.

This doesn't seem to be what's wrong in your case as you say your manually calculated signature matches what your code is generating. However it might be worth just checking. There's an article from Microsoft about this that might be useful: https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-3....

Yes, thank you! So how things are set up right now, we're setting up a button in canvas that when we push it, we should be interacting with our external application.
the resulting page that I end up on after pressing the button has the full URL "https://leep-syl-canvas-preview.dev7.leepfrog.com/ribbit/?page=lti". I think this is the proper url to be using when constructing my base string, but i've also tried using the url where the button appears in canvas.

I'm attaching my logging output, which displays each parameter in the request. The param string and base strings are constructed and displayed. Then the hash string being used is displayed (clkey1234&clkey12345).

The signature is being generated by calling an hmac-sha1(baseString, hashString) function, and the resulting signature is matching the signature from lti-tools/oauth/, however we are not matching the oauth_signature value that comes from canvas.

I'm also including a screenshot of the xml i'm using to add the external tool to canvas. The xml is pretty much just what we see as the example in getting the oauth_compliant field set to true, but I don't believe I have a way to confirm that oauth_compliant is actually being set to true.

Sorry about the wall of text on this. Please let me know if you need any further information! Thanks again!

I have been able to confirm the correctness of the OAuth signature being sent by Canvas using the site at http://lti.tools/oauth.  So I believe any error must lie at your end.  For example, make sure that you are URL-decoding any parameter values (and names).

Thank you for checking that. This doesn't match with my experience on my end. When I plug in the info for the request to the tool at lti.tools/oauth the generated signature does not match the signature that comes from canvas (the oauth_signature parameter), but does match the signature that I generate on my end labeled as Generated OAuth 1.0 Hash Signature in the .txt file i'd attached.

Am I understanding correctly that when you plug in my parameters to the lti.tools/oauth tool, your resulting signature matches the oauth_signature provided from canvas?

If so, could you please include a screenshot of your inputs at the top of the tool?

Thanks again for taking a look, it is greatly appreciated!

Yes, that is correct, the system at lti.tools/oauth confirms the signature from Canvas.  See attached image of the entry forms I used.