How to validate the LTI basic launch request
60 views
Skip to first unread message
Veeresh Digasangi
Sep 7, 2020, 1:16:13 AM9/7/20
to Canvas LMS Users
Hello Folks,
I'm trying to validate the basic LTI launch request by the shared secret with vendor and the received payload in LTI launch request.
Steps which I have done so far is,
1. Remove the oauth_signature key and value from the received payload(POST LTI launch request) Considered all key values except oauth_signature.
2. Sort the keys of the payload in ascending order
var obj=sortPayload(req.body);
3. Generate a string for each encoded key and encoded values in a loop, for example,
var str = ''";
for (const key in obj)
str += `${encodeURIComponent(key)}=${encodeURIComponent(obj[key])}`;
4. Merge str string with the http method name POST and LTI launch url, for example
var text = encodeURIComponent(`POST&https://b84eds2d9s3f.ngrok.io/lti&${encodeURIComponent(str)}`)
5. Generate sha1 hash code with secret key and text which is there in step4(assume "abc" is secret key)
var hash = crypto.createHmac('sha1', "abc").update(text).digest('hex');
6. Generate base64 string with a hash key which is created in step5
hash = new Buffer(hash).toString('base64');
Now the hash string is a locally created signature, but this signature and canvas signature are mismatched.
How to validate my LTI launch request, Is it the right way to validate the signature?
I have used Nodejs/Expressjs technology to build LTI tool.
Graham Ballantyne
Sep 7, 2020, 2:06:38 AM9/7/20
to canvas-l...@googlegroups.com
I highly recommend using a library for this. https://github.com/sfu/ims-lti (a fork of the original, which seems abandoned).
–
Graham Ballantyne
Senior Software Engineer | IT Services
Simon Fraser University | Strand Hall 1001
8888 University Dr., Burnaby, B.C. V5A 1S6
604-837-6698 | gra...@sfu.ca
Graham Ballantyne
Senior Software Engineer | IT Services
Simon Fraser University | Strand Hall 1001
8888 University Dr., Burnaby, B.C. V5A 1S6
604-837-6698 | gra...@sfu.ca
On Sep 6, 2020, at 22:16, Veeresh Digasangi <veer...@talview.com> wrote:
--
---
You received this message because you are subscribed to the Google Groups "Canvas LMS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/canvas-lms-users/7ffef523-fc25-4b01-851f-65775be54078n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages