Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Member

LTI OAUTH 1.0 Signature Mismatch


I created an LTI application with .Net. I have tried different libraries to create OAuth 1.0 signature, but it never matches with the one comes from Canvas. I checked it with this tool:  and it matches with the OAuth signature I generated, however not with the "signature" parameter comes from Canvas.

URL: https://localhost:44397/default.aspx

Consumer Key: orhun-123

Shared Secret: orhun-123

Nonce: nYrB8fqYrLsKd4Q1QharrvjBYb9zj03unlAU7urXg
Timestamp: 1536243035
Generated signature: Iyxdh5swIDAro/K7WbUWAjhOUI0=

Signature comes from Canvas:  z2tzUWURgkf6m56L7wrUyqe50wE=

Currently, I am using this code to generate the OAuth signature: 

OAuth-Signature-Validation-Tool/OAuthBase.cs at master · mashery/OAuth-Signature-Validation-Tool · G... 

Thank you,

Tags (4)
8 Replies
Community Champion

What is your tool's URL, as entered in Canvas?

Above, have you listed all of the parameters you are receiving from Canvas?  Are you using all of them? 

Some of the compulsory oauth ones seem to be missing, eg., oauth_signature_method, oauth_version.  And then there are all the other ones, eg, lti_version, context_id, lis_person_name_full, roles, ... ... ...

Hi Peter,

Thanks for the response. I just figured out the problem. There was a couple of things I was missing; the first thing; I didn't know that I should use all of the parameters(except oauth_signature) sent to the launch url to create the signature base. And the second thing was just an encoding issue. 

What was the issue with encoding? Did you have to change something on your code/call? I am having a similar issue but it works with a development server, but not a production server. Trying to figure out if there is an encoding issue.

Hi Jonathan,

For me, the problem was creating the signature base

To create the Signature Base:

   1- Get all of the parameters except "oauth signature" sent by Canvas with POST from the launch.

   2- I made a loop for each parameter, and encode only Key and Values, they look like        this: encodedKey=EncodedValue. I don't know which language you are using but, in c# it looks similar to this: 


   3- Sort them alphabetically with the Key names(&Key=Value)

   4- Create a string from this list, and Encode this string one more time(the whole string).

   5- Add the string you created to "POST&{Your Launch Url}&{The string you just created}"


   After these, you will just create the signature with using this signature base which is the standard way. I hope this will help.

Your post was extremely helpful, but missing one crucial part: the way to generate the Key used in HMACSHA1 encoding is $"{Secret}&" where Secret is from the Key and Secret that you use to create the LTI tool in canvas. You don't have to put anything else there.

When I was researching this topic I somehow missed this and tried to put $"{Secret}&{Key}" in there, but the Key is unnecessary.

(Grain of Salt: This is using the .NET Core 3.0 library System.Security.Cryptography.)

0 Kudos

Hey, I followed your all instruction steps, but the signatures are not getting matched.

The canvas provided signature and my signatures are totally different.

Can you please little bit elaborate with an example, hope it may help.

Thanks in Advance.


0 Kudos
Community Member

Were you able to generate the correct oauth_signature from your end?

0 Kudos
Community Contributor

In case it helps, you can check an OAuth signature using a tool like the one at Note also that, when your launch URL includes query parameters, Canvas does not generate a correct signature unless the oauth_compliant property has been set to true in the app configuration (see

0 Kudos