- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2020
07:35 AM
LTI basic launch oauth signature mismatch
Hello Folks,
I'm trying to validate the basic LTI launch request by the shared secret with vendor and the received payload in LTI launch request.
Steps which I have done so far is,
1. Remove the oauth_signature key and value from the received payload(POST LTI launch request)
2. Sort the keys of the payload in ascending order
var obj=sortPayload(req.body);
3. Generate a string for each encoded key and encoded values in a loop, for example,
var str = ''";
for (const key in obj)
str += `${encodeURIComponent(key)}=${encodeURIComponent(obj[key])}`;
4. Merge str string with the http method name POST and LTI launch url, for example
5. Generate sha1 hash code with secret key and text which is there in step4(assume "abc" is secret key)
var hash = crypto.createHmac('sha1', "abc").update(text).digest('hex');
6. Generate base64 string with a hash key which is created in step5
hash = new Buffer(hash).toString('base64');
Now the hash string is a locally created signature, but this signature and canvas signature are mismatched.
How to validate my LTI launch request, Is it the right way to validate the signature?
I have used Nodejs/Expressjs technology to build LTI tool.
1 Reply
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2020
02:41 PM
You can use the page at https://lti.tools/oauth to verify a signature and view the calculation method. Note that, by default, Canvas does not send the correct OAuth signature if your URL includes query parameters unless the oauth_compliant property is set to true.
