Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Member

【PHP】Build oauth_signature failed

Hi, all

Thank you for you see this question.

I am writing a LTI program.

The assignment post some data to my program. I see some parameters include oauth_cosumer_key, oauth_nonce, oauth_signature_method, oauth_version, oauth_timestamp, etc....

I am going to build oauth_signature, but failed.

Here is the codes:


Any other params do I need?

$oauth_signature= base64_encode(hash_hmac('sha1',$string,"456",TRUE));

//"456" is the secret I set. I have saved it into the share secret box.

$oauth_signature doesn't matches with $_POST['oauth_signature']

Hope you can help me on this problem.

Best wishes !


17 Replies
New Member

I think is not correct. I am not sure....

Help me !please !

Community Champion

 @dengpan_huang    Have you checked with the Canvas admin for your school?

Or with your Canvas CSM?

I would verify the URL through your official Canvas contacts.

Thank you very much.

I am the Canvas admin, it is a big problem.:smileylaugh:

Here is the params I am using:

$params =  array(

  'oauth_consumer_key' => $_POST['oauth_consumer_key'],

  'oauth_nonce' => $_POST['oauth_nonce'],

  'oauth_signature_method' => $_POST['oauth_signature_method'],

  'oauth_timestamp' => $_POST['oauth_timestamp'],

  'oauth_version' => $_POST['oauth_version']



$oauth_signature= $this->mylib->get_signature($string,'456');

PS: 456 is the secret.


Any other params do I need?

Community Champion

I recommend working through the example here:

This example gives you known data to work with, and a reproducable result.

It walks you through step by step.

You might also want to look at this project on GitHub:  GitHub - jrconlin/oauthsimple: Simple, standardized OAuth signature generator

Thank you very much for you reply so soon.

I am looking at this page.

I have got the Base String:


But I don't know how to get the string "kd94hf93k423kf44&pfkkdhi9sl3r4s00"


Community Champion

Go back to the beginning of the article, review the defined constants for the exercise:

"The client has previously registered with the server and obtained the client identifier dpf43f3p2l4k3l03 and client secret kd94hf93k423kf44. It has executed the OAuth workflow and obtained an access token nnch734d00sl2jdk and token secret pfkkdhi9sl3r4s00"

Hi, Mr Garth Egbert

Thank you very much, you are so kindly !

I am going to give up this way.

I think it is easier if I am using token_access to build plugins which I could create from my account.

Thank you again.

Community Champion

Obviously I don't know what your app is doing, but bypassing authentication and using a token only raises security concerns.

Does your app have different features for students vs. instructors?

How are you going to know who is accessing your app?

How are you going to know what role that user has?

Sent via the Samsung Galaxy S® 6 edge, an AT&T 4G LTE smartphone

Community Coach
Community Coach

Due to the technical nature of this question I'm going to share it with the Canvas Developers​ group in the Community. I recommend also joining this group so you can have access to all their resources.

Thank you very much

Community Contributor

Stephen Vickers has an extensible LTI Tool Provider package that allows you to abstract away OAuth headaches. I use it as the core of my Reflexive Canvas LTI package (that provides API access from the Tool Provider). Not in love with it, but it gets the job done without forcing me into the weeds of authenticating OAuth sigs.

Hi, Seth

Thank you !

I have tried to use the LTI TP, it is not easy for the New Developers, even I have 4 yeas PHP experiences.

If there are some instructions let me know how to use it will be much better.

 @dengpan_huang ​… yeah. It's a bear. And -- truth in advertising -- when LTI 2.0 is finalized, it will be out-of-date (but I think he's working on update -- that exists within the Composer-Packagist package management ecosystem).

I basically scrutinized Steven Vickers' example Ratings app until I sorta "got" it.

Here's my horseback take:

  1. You're going to want to extend the LTI_Tool_Provider class to handle all incoming requests. That takes care of both authentication and extracting parameters sent from the Tool Consumer (i.e. the LMS).
  2. When you instantiate your subclass of the LTI_Tool_Provider, it's going to need an LTI_Data_Connector instance to handle database connections, so that it can store backing data for the application, including the context and user IDs that the LTI_Tool_Provider will extract from the incoming requests automagically.
  3. There are a few different ways of handling different types of incoming requests (e.g. "basic-lti-request" that is, essentially, an app launch from Course or Account Navigation, or a content item (e.g. a particular module link, I think). The LTI_Tool_Provider class has built in handlers for each type of request and you will need to override them in your subclass to handle them in your own way.
  4. The LTI_Tool_Provider captures a lot of data about the initial request that you can query from it later. I tend to try to stash it in a session data​ for later use.

I've decided (as I alluded earlier) that I don't really like dealing with LTI_Tool_Provider nakedly, so I have wrapped it in my own package that makes it easier for me to work with it. Here's an example (that I tend to use as my template each time I build a new LTI) of how I really deal with it. For example, that's the same structure as our Advisor Dashboard LTI (placed in Course and Account Navigation) or my See All Submissions LTI (placed in Course Navigation).

What I haven't effectively tested, but I believe does work, is the homework submission passback process. (As I understand it, when then LTI is launched by the assignment, one of the parameters it includes is a URL to which the LTI can then submit the student's work when it's ready.)


你好  @dengpan_huang ​,

Instead of rolling-your-own OAuth, I highly recommend that you utilize an existing PHP library.  In fact there is one included in the PHP LTI Tool Provider library available on OSCELOT.  Using these libs should make your life significantly easier.

Hi, Danny

I will reread the library.

Thank you very much.

Community Champion

I agree with  @tdw ​ and  @SethBattis ​, using an existing OAuth library can save you time.

However, I encourage you to get it working on your own solely for the purpose of understanding how it works, I do not consider that a waste of time, it is a worthwhile effort.

Another library option for you is directly from IMS Global:

They also have PHP sample code.

If you do decide to bypass the OAuth signature validation and simply use your developer token to leverage the API, make sure you understand that you are significanly compromising the security of your application.  The function of the oAuth signature is to allow you to validate the integrity of the information you are receiving.  Using OAuth you are verifying that the values being passed to you by Canvas have no been tampered with.

Unless you are providing your own method of user validation, I recommend you push forward and implement OAuth validation.

Hi, Garth

Thank you very much.

I will try to use it again.