Thank you for you see this question.
I am writing a LTI program.
The assignment post some data to my program. I see some parameters include oauth_cosumer_key, oauth_nonce, oauth_signature_method, oauth_version, oauth_timestamp, etc....
I am going to build oauth_signature, but failed.
Here is the codes:
Any other params do I need?
//"456" is the secret I set. I have saved it into the share secret box.
$oauth_signature doesn't matches with $_POST['oauth_signature']
Hope you can help me on this problem.
Best wishes !
Thank you very much.
I am the Canvas admin, it is a big problem.:smileylaugh:
Here is the params I am using:
$params = array(
'oauth_consumer_key' => $_POST['oauth_consumer_key'],
'oauth_nonce' => $_POST['oauth_nonce'],
'oauth_signature_method' => $_POST['oauth_signature_method'],
'oauth_timestamp' => $_POST['oauth_timestamp'],
'oauth_version' => $_POST['oauth_version']
PS: 456 is the secret.
Any other params do I need?
I recommend working through the example here: http://lti.tools/oauth/
This example gives you known data to work with, and a reproducable result.
It walks you through step by step.
You might also want to look at this project on GitHub: GitHub - jrconlin/oauthsimple: Simple, standardized OAuth signature generator
Thank you very much for you reply so soon.
I am looking at this page.
I have got the Base String:
But I don't know how to get the string "kd94hf93k423kf44&pfkkdhi9sl3r4s00"
Go back to the beginning of the article, review the defined constants for the exercise:
"The client has previously registered with the server and obtained the client identifier dpf43f3p2l4k3l03 and client secret kd94hf93k423kf44. It has executed the OAuth workflow and obtained an access token nnch734d00sl2jdk and token secret pfkkdhi9sl3r4s00"
Hi, Mr Garth Egbert
Thank you very much, you are so kindly !
I am going to give up this way.
I think it is easier if I am using token_access to build plugins which I could create from my account.
Thank you again.
Obviously I don't know what your app is doing, but bypassing authentication and using a token only raises security concerns.
Does your app have different features for students vs. instructors?
How are you going to know who is accessing your app?
How are you going to know what role that user has?
Sent via the Samsung Galaxy S® 6 edge, an AT&T 4G LTE smartphone
Due to the technical nature of this question I'm going to share it with the Canvas Developers group in the Community. I recommend also joining this group so you can have access to all their resources.
Stephen Vickers has an extensible LTI Tool Provider package that allows you to abstract away OAuth headaches. I use it as the core of my Reflexive Canvas LTI package (that provides API access from the Tool Provider). Not in love with it, but it gets the job done without forcing me into the weeds of authenticating OAuth sigs.
Thank you !
I have tried to use the LTI TP, it is not easy for the New Developers, even I have 4 yeas PHP experiences.
If there are some instructions let me know how to use it will be much better.
@dengpan_huang … yeah. It's a bear. And -- truth in advertising -- when LTI 2.0 is finalized, it will be out-of-date (but I think he's working on update -- that exists within the Composer-Packagist package management ecosystem).
I basically scrutinized Steven Vickers' example Ratings app until I sorta "got" it.
Here's my horseback take:
I've decided (as I alluded earlier) that I don't really like dealing with LTI_Tool_Provider nakedly, so I have wrapped it in my own package that makes it easier for me to work with it. Here's an example (that I tend to use as my template each time I build a new LTI) of how I really deal with it. For example, that's the same structure as our Advisor Dashboard LTI (placed in Course and Account Navigation) or my See All Submissions LTI (placed in Course Navigation).
What I haven't effectively tested, but I believe does work, is the homework submission passback process. (As I understand it, when then LTI is launched by the assignment, one of the parameters it includes is a URL to which the LTI can then submit the student's work when it's ready.)
However, I encourage you to get it working on your own solely for the purpose of understanding how it works, I do not consider that a waste of time, it is a worthwhile effort.
Another library option for you is directly from IMS Global:
They also have PHP sample code.
If you do decide to bypass the OAuth signature validation and simply use your developer token to leverage the API, make sure you understand that you are significanly compromising the security of your application. The function of the oAuth signature is to allow you to validate the integrity of the information you are receiving. Using OAuth you are verifying that the values being passed to you by Canvas have no been tampered with.
Unless you are providing your own method of user validation, I recommend you push forward and implement OAuth validation.