Celebrate Excellence in Education: Nominate Outstanding Educators by April 15!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Community
- Groups
- Canvas Developers Group
- Forum
- LTI OAUTH 1.0 Signature Mismatch
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Found this content helpful? Log in or sign up to leave a like!
LTI OAUTH 1.0 Signature Mismatch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2018
08:45 AM
Hi,
I created an LTI application with .Net. I have tried different libraries to create OAuth 1.0 signature, but it never matches with the one comes from Canvas. I checked it with this tool: http://lti.tools/oauth/ and it matches with the OAuth signature I generated, however not with the "signature" parameter comes from Canvas.
URL: https://localhost:44397/default.aspx
Consumer Key: orhun-123
Shared Secret: orhun-123
Nonce: nYrB8fqYrLsKd4Q1QharrvjBYb9zj03unlAU7urXg
Timestamp: 1536243035
Generated signature: Iyxdh5swIDAro/K7WbUWAjhOUI0=
Signature comes from Canvas: z2tzUWURgkf6m56L7wrUyqe50wE=
Currently, I am using this code to generate the OAuth signature:
Thank you,
Solved! Go to Solution.
1 Solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2023
12:23 PM
Ok, i see now a few things. It looks like I need to have a space in the value for lis_person_name_full. It also looks like the page=lti needs to be added into the set of parameters. Additionally, it appears I was mistaken on how the keys need to be used (per your entries into the tool, the resulting hash string should just be 'clkey12345&'. Thank you so much for your help! With this I info I should be able to fix my implementation.
27 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-10-2018
03:14 PM
What is your tool's URL, as entered in Canvas?
Above, have you listed all of the parameters you are receiving from Canvas? Are you using all of them?
Some of the compulsory oauth ones seem to be missing, eg., oauth_signature_method, oauth_version. And then there are all the other ones, eg, lti_version, context_id, lis_person_name_full, roles, ... ... ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-11-2018
11:39 AM
Hi Peter,
Thanks for the response. I just figured out the problem. There was a couple of things I was missing; the first thing; I didn't know that I should use all of the parameters(except oauth_signature) sent to the launch url to create the signature base. And the second thing was just an encoding issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2018
01:14 PM
What was the issue with encoding? Did you have to change something on your code/call? I am having a similar issue but it works with a development server, but not a production server. Trying to figure out if there is an encoding issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2018
03:38 PM
Hi Jonathan,
For me, the problem was creating the signature base
To create the Signature Base:
1- Get all of the parameters except "oauth signature" sent by Canvas with POST from the launch.
2- I made a loop for each parameter, and encode only Key and Values, they look like this: encodedKey=EncodedValue. I don't know which language you are using but, in c# it looks similar to this:
$"&{Uri.EscapeDataString(key)}={Uri.EscapeDataString(value)}
3- Sort them alphabetically with the Key names(&Key=Value)
4- Create a string from this list, and Encode this string one more time(the whole string).
5- Add the string you created to "POST&{Your Launch Url}&{The string you just created}"
After these, you will just create the signature with using this signature base which is the standard way. I hope this will help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2019
03:36 PM
Your post was extremely helpful, but missing one crucial part: the way to generate the Key used in HMACSHA1 encoding is $"{Secret}&" where Secret is from the Key and Secret that you use to create the LTI tool in canvas. You don't have to put anything else there.
When I was researching this topic I somehow missed this and tried to put $"{Secret}&{Key}" in there, but the Key is unnecessary.
(Grain of Salt: This is using the .NET Core 3.0 library System.Security.Cryptography.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2020
07:01 AM
Hey, I followed your all instruction steps, but the signatures are not getting matched.
The canvas provided signature and my signatures are totally different.
Can you please little bit elaborate with an example, hope it may help.
Thanks in Advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-15-2020
03:31 AM
Were you able to generate the correct oauth_signature from your end?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-15-2020
05:01 AM
In case it helps, you can check an OAuth signature using a tool like the one at http://lti.tools/oauth. Note also that, when your launch URL includes query parameters, Canvas does not generate a correct signature unless the oauth_compliant property has been set to true in the app configuration (see https://canvas.instructure.com/doc/api/file.tools_xml.html).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2022
11:00 AM
Greetings, I'm also having an issue with generating a matching oauth signature to interface with canvas. As I'm understanding it, we're getting the oauth_signature back from canvas as part of the POST request, and we should be able to regenerate that same oauth_signature using the process outlined in orhunk90's solution above.
I'm trying to implement this integration in javascript. Does anyone know of anything special I might be missing for a javascript implementation of this Oauth1.0 with LTI1.0 integration? Many thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2022
11:18 AM
Canvas will only generate a signature which complies with the OAuth 1 spec if you set the tool's "oauth_compliant" property to "true". Without this, any URL which includes a query parameter will have an invalid signature. And even with this any query parameter which comprises just a name (no value or equals sign) will cause Canvas to generate an invalid signature.
HTH.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2022
11:28 AM
Thank you so much for clarifying. I'm not clear on how to set the oauth_compliant property to true. Is this something that is handled from the Canvas User Interface as an Admin Account? Thanks again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2022
11:32 AM
I think the only way to set this property is via the XML configuration of the tool - see https://unh.instructure.com/doc/api/file.tools_xml.html. I also believe there is no way of checking the current value of this property.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2022
08:25 AM
Ok, thank you for clarifying. I think I've set the oauth_compliant field to true now. To confirm, when this field is set, would we still expect the generated hash to match a hash generated by a tool like one at http://lti.tools/oauth?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2022
08:31 AM
Yes, I would expect the signatures to match, unless your URL has a query parameter which comprises just a name (no value or equals sign).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2022
09:02 AM
Fantastic, thank you for sharing your knowledge on this! It is appreciated!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-27-2022
03:39 PM
Hmm, i've reached the point where the signature i'm generating is matching with what the external tool generates, but i'm still not managing to match my signature with the one canvas generates. I've got the oauth_compliant field set to true using the xml paste option when I add the external tool, and I've verified that I'm not sending any incomplete query parameters. Are you aware of any other gotchas that would lead to Canvas returning an invalid signature here? Thank you so much!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-28-2022
01:13 AM
One thing I've hit in validating LTI OAuth 1.0 signatures before is when you have a proxy in-front of your application server that handles HTTPS termination and then forwards the request onto your application server over HTTP. Unless you configure your application server to pull through the request URL from an additional HTTP header you can end up with a different signature to the one Canvas generated.
This doesn't seem to be what's wrong in your case as you say your manually calculated signature matches what your code is generating. However it might be worth just checking. There's an article from Microsoft about this that might be useful: https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-3....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-28-2022
12:56 AM
I am not aware of any other reasons which might cause this signature issue. Are you able to share an example message (including the full URL, POST data parameters and shared secret used to sign it) so that I can take a closer look?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2023
09:44 AM
Yes, thank you! So how things are set up right now, we're setting up a button in canvas that when we push it, we should be interacting with our external application.
the resulting page that I end up on after pressing the button has the full URL "https://leep-syl-canvas-preview.dev7.leepfrog.com/ribbit/?page=lti". I think this is the proper url to be using when constructing my base string, but i've also tried using the url where the button appears in canvas.
I'm attaching my logging output, which displays each parameter in the request. The param string and base strings are constructed and displayed. Then the hash string being used is displayed (clkey1234&clkey12345).
The signature is being generated by calling an hmac-sha1(baseString, hashString) function, and the resulting signature is matching the signature from lti-tools/oauth/, however we are not matching the oauth_signature value that comes from canvas.
I'm also including a screenshot of the xml i'm using to add the external tool to canvas. The xml is pretty much just what we see as the example in getting the oauth_compliant field set to true, but I don't believe I have a way to confirm that oauth_compliant is actually being set to true.
Sorry about the wall of text on this. Please let me know if you need any further information! Thanks again!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2023
10:17 AM
Thanks for the details. So are you saying that Canvas has been configured with a consumer key of "clkey1234" and a shared secret of "clkey12345" and a launch URL of "https://leep-syl-canvas-preview.dev7.leepfrog.com/ribbit/?page=lti" for the link being used?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2023
10:30 AM
Yes, thank you for confirming. I'm setting the key values manually in canvas when I add the external tool, and the launch url is set from the xml file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2023
10:38 AM
I have been able to confirm the correctness of the OAuth signature being sent by Canvas using the site at http://lti.tools/oauth. So I believe any error must lie at your end. For example, make sure that you are URL-decoding any parameter values (and names).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2023
10:50 AM
Thank you for checking that. This doesn't match with my experience on my end. When I plug in the info for the request to the tool at lti.tools/oauth the generated signature does not match the signature that comes from canvas (the oauth_signature parameter), but does match the signature that I generate on my end labeled as Generated OAuth 1.0 Hash Signature in the .txt file i'd attached.
Am I understanding correctly that when you plug in my parameters to the lti.tools/oauth tool, your resulting signature matches the oauth_signature provided from canvas?
If so, could you please include a screenshot of your inputs at the top of the tool?
Thanks again for taking a look, it is greatly appreciated!
Am I understanding correctly that when you plug in my parameters to the lti.tools/oauth tool, your resulting signature matches the oauth_signature provided from canvas?
If so, could you please include a screenshot of your inputs at the top of the tool?
Thanks again for taking a look, it is greatly appreciated!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2023
11:28 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2023
12:23 PM
Ok, i see now a few things. It looks like I need to have a space in the value for lis_person_name_full. It also looks like the page=lti needs to be added into the set of parameters. Additionally, it appears I was mistaken on how the keys need to be used (per your entries into the tool, the resulting hash string should just be 'clkey12345&'. Thank you so much for your help! With this I info I should be able to fix my implementation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2023
02:36 PM
Hey everyone, I have been following this thread in search of answers, and while I have managed to make my way through the signature process, I am officially blocked. I am currently using http://lti.tools/oauth/ to test the params I receive from Canvas, but I still get a different signature after inputing these details. From reading this post, here is what I have changed:
1. I removed all plus symbols from strings that have spaces, I read this from @NickStarr solution post
2. I have also made sure to remove any /' symbols as well
If I could get the signature to match in http://lti.tools/oauth/ , I think I'll be able to fix my algo and cater it to how @orhunk90 has laid out. I am using JavaScript to accomplish this. Could please help?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2023
03:17 PM
Okay, I believe I have figured it out. When inputing params in http://lti.tools/oauth/, be sure to add the spaces back that were included as "+" symbols. For example, "word+word+" would be "word word {space}". This was my problem. Hope this also helps!
Community Help
View our top guides and resources:
Find My Canvas URL Help Logging into Canvas Generate a Pairing Code Canvas Browser and Computer Requirements Change Canvas Notification Settings Submit a Peer Review AssignmentTo participate in the Instructure Community, you need to sign up or log in:
Sign In