I used https://lti-tool-provider.herokuapp.com/ to test an OAuth request between Canvas and our server. The URL I am hitting is https://localhost/authorization/lti?action=true. My question is why do query string parameters get added to the POST body?
This is causing our signature validation to fail as the two requests do not match. When we check for equality for the two signatures the one from the LTI Tool Provider Test has one parameter action=true while when the server constructs the signature it has two action=true (one from the POST body and one from the query string). I have not had this problem when constructing LTI requests with Moodle or Blackboard.
Why does Canvas add query string parameters to the POST body? Am I doing something wrong on my end?
Thank you for your help!