cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dbrigham
Community Member

LTI POST Request with Query String Parameters

Jump to solution

Hello,

I used https://lti-tool-provider.herokuapp.com/ to test an OAuth request between Canvas and our server. The URL I am hitting is https://localhost/authorization/lti?action=true. My question is why do query string parameters get added to the POST body?

This is causing our signature validation to fail as the two requests do not match. When we check for equality for the two signatures the one from the LTI Tool Provider Test has one parameter action=true while when the server constructs the signature it has two action=true (one from the POST body and one from the query string). I have not had this problem when constructing LTI requests with Moodle or Blackboard.

Why does Canvas add query string parameters to the POST body? Am I doing something wrong on my end?

Thank you for your help!

Labels (1)
Tags (2)
1 Solution

Accepted Solutions
pklove
Community Champion

There is now a configuration parameter, oauth_compliant, that controls this.  Setting it true stops the query parameters being copied to the body.

See "Launch URL's containing query parameters" at Importing Extended Tool Configurations - Canvas LMS REST API Documentation 

View solution in original post

6 Replies
stuart_ryan
Community Coach
Community Coach

Hi  @dbrigham ,

I am going through having a look at some of the early days in the Canvas Developers group, and checking in to see if older enquiries have been answered. I also noticed there hasn’t been any discussion on this question.

I am wondering, were you ever able to resolve this? If have some insights you may be able to share for others that would be awesome too!

Cheers,
Stuart

pklove
Community Champion

There is now a configuration parameter, oauth_compliant, that controls this.  Setting it true stops the query parameters being copied to the body.

See "Launch URL's containing query parameters" at Importing Extended Tool Configurations - Canvas LMS REST API Documentation 

View solution in original post

Hi pklove,

That is outstanding thanks so much!

Cheers,
Stuart

pklove
Community Champion

Hi Suart,

Kind words, but this came up in Verifying Signature in LTI launch when there are query parameters and I think  @justinball  might have been the first to mention oauth_compliant in these fora.

Cheers,

Peter

skyler_todd
Community Participant

There is also a setting to fix this globally, I believe it is the toggle "Don't Move LTI Query Params to POST Body" in Account > Settings > Feature Options.

pklove
Community Champion

Note that his might not be available on some installs.  I do not see it on a Canvas hosted installation, but I do have it on my local install.