cancel
Showing results for 
Search instead for 
Did you mean: 
Surveyor II

LTI 1.3 Error 500 when trying to get a token for the lti adventage api

Jump to solution

I'm trying to consume the names and roles api but I can't get even the token to be able to consume the endpoint.

I get a 500 error no matter what I try. What am I doing wrong? any ideas?

$payload = [
            "iss" => "https://localhost",
            "sub" => CLIENT_ID,
            "aud" => "https://XXXXX.beta.instructure.com/login/oauth2/token",
            "iat" => time(),
            "exp" => 1609459200,
            "jti" => (string) Uuid::uuid4()
        ];
        $jwt = JWT::encode($payload, PRIVATE_KEY, SIGNATURE_METHOD);
        $params = array(
            'grant_type' => "client_credentials",
            'client_assertion_type' => "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
            'client_assertion' => $jwt,
            'scope' => "https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly"
        );
        $options = [
            'form_params' => $params,
        ];
        $client = new Client();
        $res = $client->request('POST','https://XXXXX.beta.instructure.com/login/oauth2/token', $options);
        dd($res->getBody());

 

 

Labels (4)
0 Kudos
1 Solution

Accepted Solutions
Surveyor

If you configure Canvas to use a JWKS URL then this URL must be publicly available so that Canvas can call it.  If your tool is not on a publicly available server, then try configuring Canvas with your public key instead so that a request to a JWKS endpoint is not required.

View solution in original post

6 Replies
Surveyor

Does Canvas have your public key or just a URL to your JWKS endpoint?  If the latter, it does not look like you have included a kid claim in the header to your JWT, so perhaps this is causing a problem with Canvas obtaining your public key to verifiy the signature.

Hi @svickers2 , Indeed, the kid was not passing inside the header. Although after adding it I keep getting a 500 error. 

Do you have any other ideas that I could be doing wrong?

I have read in another question from the community that to use NRPS in the beta environment you have to request directly with canvas the activation of the functionality, the forum question was somewhat out of date when they just implemented lti 1.3. Is this still true?

If you are configuring Canvas with a JWKS URL, then do you see any requests being made to obtain your public key?  If so, does your response include the key with the same kid value?

I don't know of the beta environment requires any special arrangements; I have only used test and production in my experiments.

Hi @svickers2 , I have looked at the apache access log and I only have requests to my starting point, nothing related to lti adventage, but the url set in canvas lti keys is correct.

I have been given access to the "test" environment and I have the same problem, so I think it is not a problem in the "beta" environment.

I have tried a demo application from ceLTic project and have not been able to use LTI Adventage there either. (Rating PHP )
 
I'm thinking that the problem is due to the point of origin of the requests, can you tell me how you work from your experience? To be more specific is the preparation of the environment to run the application.
 
 
The integration of lti can be done from a local environment, because the points that you use canvas are redirections that my own computer solves and, if I eventually use localhost, my team will respond.
If I configure a local domain for my computer or overwrite an existing one, my computer will respond the same way if I associate a domain with 127.0.0.1
 
Now, in the developer keys when I configure the application I need to define some urls, within them the url of "JWK public URL", which in my case is "https: //localhost/jwks.php", locally it works for me, but for canvas localhost is your server, not my local machine. To use lti adventage do I need an online server?
 

and finally, in additional configurations canvas requests my domain, I suppose that to validate Oauth requests, if I work locally my server is "https: // localhost".
Now, if I have my application inside a root folder on my server, for example:

"https: // localhost / root_folder_of_my_project / WHATEVER"

My domain for canvas is "https: // localhost" or "https: // localhost / root_folder_of_my_project"

In addition to this if I configure apache locally to respond to "https: // localhost / root_folder_of_my_project" as "https://www.example.cl", my domain only responds locally, in that case if I configure my JWKS with a domain local, for example "https://www.example.cl/jwks.php" would canvas look for the domain on the web instead of my local server?

 I really appreciate your help in taking time to address my problem.
 
Surveyor

If you configure Canvas to use a JWKS URL then this URL must be publicly available so that Canvas can call it.  If your tool is not on a publicly available server, then try configuring Canvas with your public key instead so that a request to a JWKS endpoint is not required.

View solution in original post

Hi @svickers2  After defining the JWKS manually in canvas I have obtained the token. Thank you for your guidance, you have helped solve the problem.