LTI 1.0 signing not up to specs for hmac-sha1

[eweitnauer]

The oauth1 specs state that the consumer secret and token need to be parameter encoded before passing them to hmac-sha1 for signing:

[...] the key is the concatenated values (each first encoded per Parameter Encoding) of the Consumer Secret and Token Secret, separated by an '&' character (ASCII code 38) even if empty.

In provider.coffee and hmac-sha1.coffee however, the consumer secret is passed directly to the signing algorithm without encoding it first.

This means that if the shared secret includes characters that should be encoded (e.g., "secret!key"), the signature test fill fail for a correctly signed message.

[staufman]

Assumption: I'm guessing no one is actively maintaining this project.

This isn't really a good long term fix but I have forked this repo and fixed the issue mentioned here. You can find that repo here:

https://github.com/TiledCo/ims-lti

In my project's package.json I'm just referring to this repro's master branch. As I find issues, I'll continue adding the fixes there.

If the maintainer of this project wants to start accepting PRs and publishing to npm again, let me know and I'm happy to fix these things the right (TM) way.

[MahmoudAbdo90]

@staufman Hey man, I am trying to implement the lit login as a provider but for v1.3, is this code in the repo you mentioned above still compatible with that version ? if you have an updated example I will really appreciate it. as I am trying to find an example shows best practices but it's so hard to find something about this topic.

[staufman]

@staufman Hey man, I am trying to implement the lit login as a provider but for v1.3, is this code in the repo you mentioned above still compatible with that version ? if you have an updated example I will really appreciate it. as I am trying to find an example shows best practices but it's so hard to find something about this topic.

@MahmoudAbdo90 Unfortunately, I haven't had a chance to try with v1.3 but unless the changes to the spec are breaking, I imagine it should work. Let me know if you have any issues and I can try to help as time presents itself.

[MahmoudAbdo90]

@staufman it's brand new topic to me, I tried this package out today, but did not test it yet. is there any tool that I can send out post requests to our platform as if we receive it from an educational institution through lti-ims ? not sure if this piece of code would be enough and compatible with v1.3 as the difference is not really clear though.

Thanks man for offering the help, appreciate it

[staufman]

@MahmoudAbdo90 This is the tool I used to do all my testing: https://lti.tools/saltire (you can test both the provider and consumer). I can't say for sure if this implements the new 1.3 spec but once I got things working here, consumers like Canvas and Bridge worked out of the box with my provider.

[MahmoudAbdo90]

@staufman Thanks so much man, the only thing that am not sure of is whether the request that I will be getting is JWT based or Oauth1, the package here deals with the OAuth but I think v1.3 is JWT based, it's not really clear

[staufman]

@MahmoudAbdo90 Ahh I see. Well, my advice would be to check what the consumer you're primarily implementing for uses. If they are using 1.3 (it should be clear from the OAuth payload post auth), then you should have your answer. If it is 1.3, unfortunately, you'll probably need to spend some time asking lots of questions of whatever tool you're integrating with. For something as straightforward-seeming as LTI, it's incredibly complicated due to lack of documentation so don't get discouraged!

[MahmoudAbdo90]

@staufman You've said it all, most likely this what I will be doing, thanks for your help wish you a good weekend

[Cvmcosta]

@MahmoudAbdo90 So i'm just going to shamelessly self plug here. I've been working on a similar library but focused on LTI 1.3 and i think that maybe it can help, right now it's already pretty solid and i am maintaining it constantly. Feel free to check it out if you find it interesting LTI.JS

[MahmoudAbdo90]

@Cvmcosta Thanks for your suggest I think I can try it out but I would like to ask if you ever tried it out with Canvas ? I am looking for the best way to send actual requests in a test environment from Canvas to my app. Do you have any idea ?

[Cvmcosta]

@MahmoudAbdo90 Canvas is a bit complicated because their lti 1.3 implementation is not yet complete, and is lacking documentation. And I am not sure their lti 1.3 currently works with self hosted versions of canvas (the only way i can have access to it).
Despite that, i have seen some people using my library successfully with instructure hosted versions of canvas.
If you want to try it out i would be fully available to offer support and try to assist you even though i dont think i can test it out by myself at the moment.

[MahmoudAbdo90]

@Cvmcosta If you can help me out with some tips to test it out with instructure hosted versions of canvas. I would really appreciate it, cuz indeed it lacks of documentations.

[Cvmcosta]

@MahmoudAbdo90 Sure, here are some of the documentation i could find on the Canvas docs about lti 1.3 that helped me back when i was trying to set it up:

Introduction
Setting up LTI key on canvas
Setting up externall app on canvas
Initial configuration
OAUTH endpoints

So, basically, these links will give you most of the necessary information to register the canvas platform on ltijs.
Your registration method should look something like this:

 let plat = await lti.registerPlatform({ 
    url: 'https://canvas.instructure.com',
    name: 'Platform Name',
    clientId: 'TOOLCLIENTID',
    authenticationEndpoint: 'https://canvas.instructure.com/api/lti/authorization_redirect',
    accesstokenEndpoint: 'https://canvas.instructure.com/login/oauth2/token',
    authConfig: { method: 'JWK_SET', key: 'https://canvas.instructure.com/api/lti/security/jwks' }
})

[MahmoudAbdo90]

@Cvmcosta Thanks man, I've been looking into your package, seems like a great help after all.
but one last thing, I saw on all canvas documents that if you want to have the clientId and issue a developer key, you have to be an admin. Do you have any idea what I have to do to avoid this scenario ?

[Cvmcosta]

@MahmoudAbdo90 Happy to help!

Regarding the admin situation, i don't know any way to bypass this requirement :/ . Maybe in the canvas forum they can let you know if there is a solution.

[MahmoudAbdo90]

@Cvmcosta but you you navigate to your profile in canvas, you can see that you are admin, or are you involved in any kind educational institution and they gave you this privilege ?

[Cvmcosta]

@MahmoudAbdo90 I am admin, because my canvas is self hosted, so i gave myself admin privileges.

[MahmoudAbdo90]

@Cvmcosta
I am trying to get it working as a self hosted but I could not figure it out !

[Cvmcosta]

@MahmoudAbdo90 Don't you have any admin credentials? You create them on the setup process of canvas

[MahmoudAbdo90]

@Cvmcosta Can you send me a link so I can set it up from the very beginning maybe it will work that way ?

[Cvmcosta]

@MahmoudAbdo90 This is the tutorial i used to setup Canvas:
Canvas Setup

[MahmoudAbdo90]

@Cvmcosta
Sorry I misunderstood, I am working on that already, I will try out you package and I will get back to you with feed back.

Thanks for your help 👍

[Cvmcosta]

@MahmoudAbdo90 Happy to help. Feel free to open an issue with any doubt you may have.