Matthew White

Verifying OAuth Signature

Discussion created by Matthew White on Jul 14, 2016
Latest reply on Nov 15, 2017 by Vasco Torres

I am working to verify OAuth Signatures coming from our LTI posts.

 

 

I am looking for descriptive and detailed documentation on how I should be creating the OAuth Signature on my end. I got the basics of using HMAC_sha1. I am trying to find the doc’s describing what should EXACTLY should be hashed.

 

 

I have poked through your source code and it appears you are using a canvas specific ruby gem for creating this signature. Without me dissecting what you are doing, are there any docs out there?

 

 

In searching around I came across this resource. In a google discussion (https://groups.google.com/forum/#!topic/canvas-lms-users/JfoNmPECpqE), Brad Humphrey says, I can use this to "display the oauth base string before it is hashed.” Is this still accurate?

https://lti-tool-provider.herokuapp.com/

 

 

This issue refers to some spec docs, but I have not been able to locate those.

https://github.com/instructure/canvas-lms/issues/600

 

 

Any help and direction would be much appreciated.

Outcomes