Sharebar?

Different OAuth Signature Algorithms for v1 and v2

Different OAuth Signature Algorithms for v1 and v2

There appears to be a difference between how a signature is generated for LTI v1.x and LTI v2.x. While performing the tests for v2, I noticed that I had to first decode and then encode parameters when creating the normalized parameters string. Without decoding first, the tests would fail. If, however, I did decode the parameters first, all tests would pass successfully.

While performing the tests for v1, I noticed that I could not decode the parameters then re-encode them. Decoding first resulted in the tests failing. I confirmed this by comparing the base string expected by the test suite with the one I generated. However, reverting back to not decoding the parameters first resulted in LTI v2 tests failing again.

I'm not quite sure how to resolve this problem. I do not want to have my OAuth algorithm dependent on the LTI version, but it appears this may be the only solution. Suggestions?

StephenVickers's picture

Re: Different OAuth Signature Algorithms for v1 and v2

There should certainly not be a difference here.  All the code I am aware of uses the same methods to sign and verify signatures for both versions of LTI; the ony difference is the value of the lti_version parameter.  I think I would need to see some examples to illlustrate the differences you are seeing.  When verifying a signature (which is what I assume you are doing as a tool provider) you will always need the raw, unencoded parameter values in order to generate the signature.  Have you tried checking the signatures using a site like lti.tools/oauth to determine whether you are receiving an invalid signature?  (This site also provides a useful step-by-step description of the signing process.)  If the signature received is valid then the issue must lie with your code - are you using a standard OAuth library?

Have you experienced this issue with any system other than the certification suite?  For example, do you have the same issue when launching from the test site at lti.tools/test?

Re: Different OAuth Signature Algorithms for v1 and v2

I found what was causing the problem. It wasn't the test suite or the OAuth algorithm. The environment we use has middleware that modifies requests automatically before the endpoint actually gets hold of the request, specifically it attempts to decode parameters and this was affecting how the the OAuth library received the parameters. I just had to make an adjust with this middleware and OAuth is now working on both versions of LTI. I also tested it with lti.tools to confirm it's working as expected now.