cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
veeresh_d
Community Participant

LTI basic launch oauth signature mismatch

Hello Folks,

I'm trying to validate the basic LTI launch request by the shared secret with vendor and the received payload in LTI launch request.

Steps which I have done so far is,

1. Remove the oauth_signature key and value from the received payload(POST LTI launch request)

2. Sort the keys of the payload in ascending order 

       var obj=sortPayload(req.body);

3. Generate a string for each encoded key and encoded values in a loop,  for example,

       var str = ''";

       for (const key in obj
          str += `${encodeURIComponent(key)}=${encodeURIComponent(obj[key])}`;
 
4. Merge str string with the http method name POST and LTI launch url, for example 
 
var text = encodeURIComponent(`POST&https://b84ed22d93f.ngrok.io/lti&${encodeURIComponent(str)}`)
 
5. Generate sha1 hash code with secret key and text which is there in step4(assume "abc" is secret key)
 
     var hash = crypto.createHmac('sha1', "abc").update(text).digest('hex');
 
6. Generate base64 string with a hash key which is created in step5
 
     hash = new Buffer(hash).toString('base64');
 
Now the hash string is a locally created signature, but this signature and canvas signature are mismatched.
How to validate my LTI launch request, Is it the right way to validate the signature?
I have used Nodejs/Expressjs technology to build LTI tool.
 
0 Kudos
1 Reply
svickers2
Community Participant

You can use the page at https://lti.tools/oauth to verify a signature and view the calculation method.  Note that, by default, Canvas does not send the correct OAuth signature if your URL includes query parameters unless the oauth_compliant property is set to true.