LTI basic launch oauth signature mismatch

Community Member

Hello Folks,

I'm trying to validate the basic LTI launch request by the shared secret with vendor and the received payload in LTI launch request.

Steps which I have done so far is,

1. Remove the oauth_signature key and value from the received payload(POST LTI launch request)

2. Sort the keys of the payload in ascending order 

       var obj=sortPayload(req.body);

3. Generate a string for each encoded key and encoded values in a loop,  for example,

       var str = ''";

       for (const key in obj
          str += `${encodeURIComponent(key)}=${encodeURIComponent(obj[key])}`;
4. Merge str string with the http method name POST and LTI launch url, for example 
var text = encodeURIComponent(`POST&${encodeURIComponent(str)}`)
5. Generate sha1 hash code with secret key and text which is there in step4(assume "abc" is secret key)
     var hash = crypto.createHmac('sha1', "abc").update(text).digest('hex');
6. Generate base64 string with a hash key which is created in step5
     hash = new Buffer(hash).toString('base64');
Now the hash string is a locally created signature, but this signature and canvas signature are mismatched.
How to validate my LTI launch request, Is it the right way to validate the signature?
I have used Nodejs/Expressjs technology to build LTI tool.