Matthew White

Verifying OAuth Signature

Discussion created by Matthew White on Jul 14, 2016
Latest reply on Apr 10, 2020 by Nan Schutz

I am working to verify OAuth Signatures coming from our LTI posts.



I am looking for descriptive and detailed documentation on how I should be creating the OAuth Signature on my end. I got the basics of using HMAC_sha1. I am trying to find the doc’s describing what should EXACTLY should be hashed.



I have poked through your source code and it appears you are using a canvas specific ruby gem for creating this signature. Without me dissecting what you are doing, are there any docs out there?



In searching around I came across this resource. In a google discussion (!topic/canvas-lms-users/JfoNmPECpqE), Brad Humphrey says, I can use this to "display the oauth base string before it is hashed.” Is this still accurate?



This issue refers to some spec docs, but I have not been able to locate those.



Any help and direction would be much appreciated.