AnsweredAssumed Answered

Grade Passback

Question asked by Zbynek Dusatko on Mar 28, 2018
Latest reply on Oct 11, 2018 by Bruce Smith

Hello,

I am following Canvas Dev tutorial for LTI https://canvas.instructure.com/courses/785215/assignments/2233114?module_item_id=4761766 and I finally got to passing grade back from provider to Canvas. Now the signing process gets confusing, the tutorial says this quote:

 

"What you'll sent back to the learning platform is a POST request where the body is XML ( hey look, a nice little builder utility to get you started!) with a Content-Type header of of application/xml, signed using OAuth header signatures based on the same consumer key and shared secret you used to authorize the initial launch. Note: this is different than the way you received parameters from the learning platform since those all came across as POST multipart/form parameters, but you'll instead be sending auth information using the Authorization header, something along the lines of OAuth realm="http://sp.example.com/",oauth_consumer_key="0685bd9184jfhq22",oauth_token="ad180jjd733klru7",oauth_signature_method="HMAC-SHA1",oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",oauth_timestamp="137131200",oauth_nonce="4572616e48616d6d65724c61686176",oauth_version="1.0"."

 

Unfortunately it gives me 401 not authorized response with my configuration. I have a couple of questions:

 

1. Is it what follows OAuth just plain text with comma separated parameters?


2. If yes (according to OAuth Core 1.0 it looks like it is) do I always include empty oauth_token="" when I don't have one? 

 

3. Also do I include all parameters I get from LTI launch or just the above realm plus anything starting with "oauth_"?

 

4. In regards to signing XML POST body I am trying to do HMAC-SHA1 signature with LTI shared secret (I don't see consumer key requirement) and then adding it as another parameter 
oauth_body_hash="my HMAC-SHA1 signature" to above authorization header.
Is this correct? According to this draft OAuth Request Body Hash  it should be only SHA1 signature.

I am sorry for this long question. It just shows I might have a lot of misunderstanding. Also if anybody knows some node.js library for this whole thing it would awesome (I found only for HMAC signature).

 

Thanks for any advice,

Zbynek

 

 

Outcomes