Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Participant

Invalid signature when Canvas connects to LTI tool

I am trying to combine the Signature verification example from pklove in this discussion:  

with the following tutorial:

.NET LTI Project - Part 3 - OAuth  

I can test the Signature verification example in the Canvas Dev and Friends course, module 2, and it works fine. I am using my own domain on https.

By following the tutorial, I can add an app. I am using the same Consumer Key and Shared Secret as in the course. However, when I launch the same url from as in the LTI tutorial, I get an "Invalid signature" error. I can print out the body of the request with all parameters. oauth_consumer_key is right, I do not check for oauth_nonce, oauth_timestamp is present and is supposed to get checked by ims-lti. How to troubleshoot this problem?

12 Replies
Community Coach
Community Coach

 @alessandro_mari , greetings! Due to the technical nature of this question I am sharing it with the Canvas Developers group in the Community. You might consider joining this group so you get access to their resources and information. 



Community Participant

If you are using an OAuth library, it is likely that this code is checking the oauth_timestamp, so check that the clock on your server is accurate.  Any significant (depends on the library being used) discrepancy from the timestamp provided by Canvas will cause an invalid signature error.

Thank you for your suggestion. The timestamp posted by the Dev and Friends course and LTI launch from the same canvas account are nearly identical, see below. I am using the ims-lti package, which I believe successfully checks the timestamp (in fact I can pass the tests in the Dev and Friends course). I tried to use passport instead of ims-lti but got stuck.

I am now trying to work on this tutorial about the OAuth2 workflow: However I think i need an administrative access to a test instance of Canvas and I am stuck on other technical problems (I cannot install the canvas-lms GitHub repository, ether from source or from Docker due to known but unsolved Ruby problems).

Very frustrating indeed.

From Dev and Friends course:
{ oauth_consumer_key: '4b57.......',
  oauth_signature_method: 'HMAC-SHA1',
  oauth_timestamp: '1547731938',
  oauth_nonce: 'JMWm7Y3NyZSEEXSCNA79VeucGhW8mbsTPvvswXEwo',
  oauth_version: '1.0',
  context_id: '42fe6d3012',
  context_title: 'Semester 649',
  launch_presentation_return_url: '',

From LTI launch:
{ oauth_consumer_key: '4b57.......',
  oauth_signature_method: 'HMAC-SHA1',
  oauth_timestamp: '1547731942',
  oauth_nonce: 'RMETpjsmt8m4skBu2QEwCwFgI6LfZrB8cRYtvWnlOBo',
  oauth_version: '1.0',
  context_id: '51924590aa77672e7e07483c6201b9d34d95d67f',

But just to be clear, have you checked the clock on the server where your code resides; that is the tool provider server?

Sorry, the timestamps are basically same:

>date +%s

from the post request launched asap:


OK, then another common cause of invalid signature errors is that parameters on the query string are not being properly checked.  I have no experience with the .Net OAuth libraries, but if you have any query parameters in your launch URL, you might try testing your connection without them to see if the signature is then verified.  If it is, then this suggests an error with the library or the way it is being used.

My LTI Launch URL is , which is an alternative domain to localhost. It works when I launch it on a server and it does not contain query parameters.

I am wondering if Developer Keys are something that come into play at this point. If so i will have to get a Development installation of Canvas where I have Administrative access, something that so far has been a challenge for me. Notice that I am launching the LTI app from my canvas account at

I don't think developer keys would be relevant to an LTI launch.  Have you tried just using https://localhost:8000/ as your launch URL in case there is some domain name changes happening within your web server.  In addition try quoting the actual page being called rather than letting your web server redirect you to the default page; e.g. ...:8000/default.asp; if a redirect is happening then it is likely to lose the POST data being passed.

Thank you, I was trying your second suggestion and the problem is now solved! However I do not know how.The code in my server is now the same as before.

In any case I created a new XML configuration with:

LTI Launch URL: 

I adjusted the endpoints in my server, making /helloworld run the signature check. It worked. However I think I reverted my code back to what it was, and having the following is also fine:

LTI Launch URL:

Maybe changing the XML Config did the trick.

If I find out more I will add it here.

Thank you again