Community help

justinball · ‎06-21-2017

We've been using the 1.x version of the ims-lti gem and have decided that it's time to upgrade to the 2.0 version.

We're using this bit of code from the documentation to validate the LTI launch:

authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.url, request.request_parameters, lti_secret)
authenticator.valid_signature?

Everything works great for an LTI launch from a course level navigation item - the signature is valid and everything is great.

However, if I launch the same tool for a content item selection request (i.e. as an editor button) then the signature always fails. If I walk my code back to the 1.x version of the gem everything works great again so I know that I can get a valid signature with a previous version of the gem. I'm not changing the shared secret between requests.

Any idea why the content item selection LTI launch fails?

justinball · ‎06-21-2017

I dug down into the gem and then into the simple_auth gem that ims-lti now relies on to verify the signature of the request.

The IMS::LTI::Services::MessageAuthenticator initialization parses the params object into options and parsed_params.

The course level navigation results in an @options that looks like this:

{:consumer_key=>"lti-example-dev", :signature_method=>"HMAC-SHA1", :timestamp=>"1498094063", :nonce=>"sTtZphI5tfJarJfZQksP1Bdm6nILujuMntjpVk10bc", :version=>"1.0", :callback=>"about:blank"}

The content item selection results in an @options that looks like this:

{:consumer_key=>"lti-example-dev", :signature_method=>"HMAC-SHA1", :timestamp=>"1498094088", :nonce=>"TTNKN94qqjX8vmehAIlsod7GhXLkQpRqy52FxYamG4", :version=>"1.0"}

The primary difference is that the content item selection does not have a callback.

However, when I did into the simple_oauth gem and look at the "signature_base" that is used to generate the signature, both requests contain an "oauth_callback". I think that somewhere in one of the gems that value is being added in. It passes in the case of the course level launch because it was part of the original request and thus part of the signature. In the content item selection there is no oauth_callback value and so the signatures are different and the request fails.

justinball · ‎06-21-2017

I did a bit more digging and now I'm sure it's the additional oauth_callback value. If I do a bit of cheating and modify the simple_oauth gem's hmac_sha1_signature method to remove the value like this:

signature_base = signature_base.gsub("oauth_callback%3Dabout%253Ablank%26", "")‍

then the signature validates and the LTI Launch succeeds.

In message_authenticator.rb there's this bit of code that generates the simple_oauth_header. By default it always adds in a callback even if the request doesn't include that value. If I remove the callback then the signature succeeds. Is there a reason to always have a default callback value?

def simple_oauth_header
  @simple_oauth_header ||= begin
    @simple_oauth_header = SimpleOAuth::Header.new(
      :post, launch_url,
      @parsed_params,
      @options.merge(
        {
          consumer_key: consumer_key,
          consumer_secret: @secret,
          callback: 'about:blank'
        }
      )
    )
    @simple_oauth_header
  end
end‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

LTI Launch fails for content item selection with latest IMS-LTI gem

Donot have valid data to test certain APIs

Getting Canvas LTI Data

Is it posible to get the self_enrollment_code trou...

Display LTI content in pages from Editor LTI Place...

Media Plugin for Canvas LMS

UI for weekly progression idea

Is the ‘Enable self assessment’ field available in...

Canvas Rubrics API Criteria

api/v1/courses/sis_course_id:{id#}/sections - Not ...

add `desc` or `asc` to a few api calls that are al...

You're signed out

LTI Launch fails for content item selection with latest IMS-LTI gem

Community help

View our top guides and resources: