Sharebar?

OAuth Message Signing of the Outcomes Service when using an URL with query parameters

OAuth Message Signing of the Outcomes Service when using an URL with query parameters

Hello,

After using LTI (as a consumer) for a while now we came up with some problems with the message signing in the outcomes service. With some tool providers everything works great and some tool providers will get a 401 stating that the signatures do not match. After some investigation we pinpointed the problem. Some of the tool providers sign the message with the URL query parameters and some exclude the URL query parameters when signing the message. Even the known libraries do it differently. The LTI Test Suite at http://lti.tools/test/tp.php signs with the URL query parameters and a well known .net library https://github.com/andyfmiller/LtiLibrary deliberately signs without (explanation here https://github.com/andyfmiller/LtiLibrary/issues/14).

So the question is: Should the URL query parameters be used in the message signing when doing a post to the outcomes service?

Regards,

Martijn van den Berg