Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Member

Invalid signature when Canvas connects to LTI tool

I am trying to combine the Signature verification example from pklove in this discussion:  

with the following tutorial:

.NET LTI Project - Part 3 - OAuth  

I can test the Signature verification example in the Canvas Dev and Friends course, module 2, and it works fine. I am using my own domain on https.

By following the tutorial, I can add an app. I am using the same Consumer Key and Shared Secret as in the course. However, when I launch the same url from as in the LTI tutorial, I get an "Invalid signature" error. I can print out the body of the request with all parameters. oauth_consumer_key is right, I do not check for oauth_nonce, oauth_timestamp is present and is supposed to get checked by ims-lti. How to troubleshoot this problem?

12 Replies
Community Coach
Community Coach

 @alessandro_mari , greetings! Due to the technical nature of this question I am sharing it with the Canvas Developers group in the Community. You might consider joining this group so you get access to their resources and information. 



0 Kudos
Community Participant

If you are using an OAuth library, it is likely that this code is checking the oauth_timestamp, so check that the clock on your server is accurate.  Any significant (depends on the library being used) discrepancy from the timestamp provided by Canvas will cause an invalid signature error.

Thank you for your suggestion. The timestamp posted by the Dev and Friends course and LTI launch from the same canvas account are nearly identical, see below. I am using the ims-lti package, which I believe successfully checks the timestamp (in fact I can pass the tests in the Dev and Friends course). I tried to use passport instead of ims-lti but got stuck.

I am now trying to work on this tutorial about the OAuth2 workflow: However I think i need an administrative access to a test instance of Canvas and I am stuck on other technical problems (I cannot install the canvas-lms GitHub repository, ether from source or from Docker due to known but unsolved Ruby problems).

Very frustrating indeed.

From Dev and Friends course:
{ oauth_consumer_key: '4b57.......',
  oauth_signature_method: 'HMAC-SHA1',
  oauth_timestamp: '1547731938',
  oauth_nonce: 'JMWm7Y3NyZSEEXSCNA79VeucGhW8mbsTPvvswXEwo',
  oauth_version: '1.0',
  context_id: '42fe6d3012',
  context_title: 'Semester 649',
  launch_presentation_return_url: '',

From LTI launch:
{ oauth_consumer_key: '4b57.......',
  oauth_signature_method: 'HMAC-SHA1',
  oauth_timestamp: '1547731942',
  oauth_nonce: 'RMETpjsmt8m4skBu2QEwCwFgI6LfZrB8cRYtvWnlOBo',
  oauth_version: '1.0',
  context_id: '51924590aa77672e7e07483c6201b9d34d95d67f',

0 Kudos

But just to be clear, have you checked the clock on the server where your code resides; that is the tool provider server?

Sorry, the timestamps are basically same:

>date +%s

from the post request launched asap:


0 Kudos

OK, then another common cause of invalid signature errors is that parameters on the query string are not being properly checked.  I have no experience with the .Net OAuth libraries, but if you have any query parameters in your launch URL, you might try testing your connection without them to see if the signature is then verified.  If it is, then this suggests an error with the library or the way it is being used.

My LTI Launch URL is , which is an alternative domain to localhost. It works when I launch it on a server and it does not contain query parameters.

I am wondering if Developer Keys are something that come into play at this point. If so i will have to get a Development installation of Canvas where I have Administrative access, something that so far has been a challenge for me. Notice that I am launching the LTI app from my canvas account at

0 Kudos

I don't think developer keys would be relevant to an LTI launch.  Have you tried just using https://localhost:8000/ as your launch URL in case there is some domain name changes happening within your web server.  In addition try quoting the actual page being called rather than letting your web server redirect you to the default page; e.g. ...:8000/default.asp; if a redirect is happening then it is likely to lose the POST data being passed.

Thank you, I was trying your second suggestion and the problem is now solved! However I do not know how.The code in my server is now the same as before.

In any case I created a new XML configuration with:

LTI Launch URL: 

I adjusted the endpoints in my server, making /helloworld run the signature check. It worked. However I think I reverted my code back to what it was, and having the following is also fine:

LTI Launch URL:

Maybe changing the XML Config did the trick.

If I find out more I will add it here.

Thank you again

0 Kudos

Very curious.  The reason for my suggestion is that the signature is generated using the endpoint to which the request is being sent, so it is important that the same endpoint is generated at the tool provider end so that the signature can be verified.  In addition some web servers (such as Apache) will issue a redirect when the default page is assumed in the URL; this is likely to mean that the endpoints assumed will be different between the two servers and can also mean that the POST request becomes a GET request (depending upon how this redirect is executed).  HTH.

0 Kudos
Community Coach
Community Coach

 @alessandro_mari ,

Were you able to find an answer to your question? I am going to go ahead and mark this question as answered because there hasn't been any more activity in a while so I assume that you have the information that you need. If you still have a question about this or if you have information that you would like to share with the community, by all means, please do come back and leave a comment.  Also, if this question has been answered by one of the previous replies, please feel free to mark that answer as correct.



0 Kudos
Community Member

In my case the "Invalid Signature" message was because of a protocol mismatch. Although I was serving my tool under https at the network load balancer, nginx was only using port 80 to serve pages. I created a vhost for 443 on nginx, setup/plugged some certs and voila! worked.

0 Kudos