Comments (15)
It looks like oauth_body_hash
is required by the lti spec (http://www.imsglobal.org/LTI/v1p1/ltiIMGv1p1.html#_Toc319560469), so this should definitely be added.
I believe the method used to generate the oauth_body_hash
must be the same as the algorithm in oauth_signature_method
In the commit that you linked, it looks like you're using SHA1
instead of HmacSHA1
in order to generate the oauth_body_hash
.
When you say it 'breaks signing,' do you mean that Sakai/Moodle rejects the request based on an incorrect oauth_body_hash
, or is it something else?
from basiclti-util-java.
I was able to get through oauth_body_hash validation, so I believe the parameter was not being included in the oauth_signature calculation. (It also made Canvas start rejecting the request, so I'm fairly sure.)
from basiclti-util-java.
I was dead wrong about the oauth_body_hash
algorithm to use, Keep using SHA1
. (http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html#anchor3)
If the oauth_signature
does not include the oauth_body_hash
I would regard it as a bug with oauth-signpost. I'll do some digging as to whether this is actually the case.
Do Moodle and Sakai accept your requests that include oauth_body_hash
while Canvas rejects them?
from basiclti-util-java.
I haven't tested against Moodle, but Sakai gave me "Failed to validate: signature_invalid".
from basiclti-util-java.
(It had previously been giving me "Did not find oauth_body_hash", then "Body hash does not match header", as I got it figured out.)
from basiclti-util-java.
And yes, I suspect you're right that it's a bug in oauth-signpost.
from basiclti-util-java.
Perhaps I should just drop the signpost dependency and roll my own, as in https://developer.mastercard.com/portal/display/api/Java+OAuth+Sample+Code .
from basiclti-util-java.
anyone is going to fix this? I just ran into the same issue where oauth_body_hash is not calculated in the request header.
from basiclti-util-java.
Hi @kejd315, thanks for your interest in basiclti-util-java.
It would be useful to hear a bit more about how you're using this library, and where exactly it's breaking in order to help you.
What version are you currently using? Which method are you using to send POX results to the consumer? Are you also implementing against Sakai?
In recent versions, there have been measures added to allow clients to override the default signing implementation, if you choose to use your own.
from basiclti-util-java.
I am using sendReplaceResult() from https://github.com/IMSGlobal/basiclti-util-java/blob/master/src/main/java/org/imsglobal/pox/IMSPOXRequest.java
The method doesn't generate oauth_body_hash in the request header.
from basiclti-util-java.
I've submitted a pull request for the issue, @kejd315 . Sorry for the trouble.
from basiclti-util-java.
If you're curious, @pfgray , the only problem with my previous patch was that I had to URL-encode the hash value. Embarrassing.
from basiclti-util-java.
This is great news. Regarding the body hash algorithm SHA1 you use, should it be HMAC-SHA1
according to LTI 1.1 spec?
from basiclti-util-java.
Thanks for the review! The oauth body hash extension specifies an unkeyed
hash algorithm:
https://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html#unkeyed
On Jan 29, 2015 7:16 PM, "kejd315" [email protected] wrote:
This is great news. Regarding the body hash algorithm SHA1 you use, should
it be HMAC-SHA1
according to LTI 1.1 spec?—
Reply to this email directly or view it on GitHub
#3 (comment)
.
from basiclti-util-java.
Thanks for your quick response. This looks good!
from basiclti-util-java.
Related Issues (20)
- README.md file out of date compared to pom.xml in master HOT 1
- Invalid LTI signature when special characters are present in the request HOT 6
- Incorrect usage outline in the readme HOT 1
- servlet-api maven dependency should have scope "provided" HOT 4
- set up maven deploy plugin with sonatype oss repository HOT 1
- LtiOauthSigner does not include oauth_body_hash
- BasicLTIConstants class CONTEXT_TYPE_GROUP is having a wrong value "GROUP" HOT 2
- LTI dependency fails to load HOT 3
- replaceResultRequest is invalid: imsx_messageIdentifier missing HOT 2
- NPE when calling @Lti annotated spring controller method with a null argument HOT 6
- POX replaceResultRequest message doesn't contain mandatory message identifier HOT 5
- How to send events to server HOT 1
- LTIVerifier.verifyParameters cannot work with keys that have multiple values HOT 2
- ~redacted~
- Project status? HOT 1
- BasicLTIUtil.signProperties() does not work for ContentItemSelection messages HOT 2
- oAuth signature method `HMAC-SHA1` deprecation HOT 1
- Nonces are not working
- ToolConsumer Profile in the ToolProxy is just string HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from basiclti-util-java.