LTI basic launch oauth signature mismatch

veeresh_d
Community Member
‎09-04-2020 08:35 AM

Hello Folks,

I'm trying to validate the basic LTI launch request by the shared secret with vendor and the received payload in LTI launch request.

Steps which I have done so far is,

1. Remove the oauth_signature key and value from the received payload(POST LTI launch request)

2. Sort the keys of the payload in ascending order 

       var obj=sortPayload(req.body);

3. Generate a string for each encoded key and encoded values in a loop,  for example,

       var str = ''";

       for (const key in obj
          str += `${encodeURIComponent(key)}=${encodeURIComponent(obj[key])}`;
 
4. Merge str string with the http method name POST and LTI launch url, for example 
 
var text = encodeURIComponent(`POST&https://b84ed22d93f.ngrok.io/lti&${encodeURIComponent(str)}`)
 
5. Generate sha1 hash code with secret key and text which is there in step4(assume "abc" is secret key)
 
     var hash = crypto.createHmac('sha1', "abc").update(text).digest('hex');
 
6. Generate base64 string with a hash key which is created in step5
 
     hash = new Buffer(hash).toString('base64');
 
Now the hash string is a locally created signature, but this signature and canvas signature are mismatched.
How to validate my LTI launch request, Is it the right way to validate the signature?
I have used Nodejs/Expressjs technology to build LTI tool.
 
0 Likes