How to authenticate an LLL launch request
I have created an LTI tool that I integrate with moodle. I created a client key and secret, but I'm not sure how to check (authenticate) the launch request.
Here is the raw request I receive, so I am assuming that I need to authenticate the oauth_signature to authenticate the request. I came across some examples, but I need the oauth token, but it is not returned in the launch request.
I would really appreciate any help!
POST http://ltitest.cloudapp.net/launch HTTP/1.1
Host: ltitest.cloudapp.net
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://demo.moodle.net/mod/lti/launch.php?id=7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1296
oauth_version=1.0&oauth_nonce=d8e900f0b71e76c4b12e89681c9b5cb9&oauth_timestamp=1412987714&oauth_consumer_key=username&resource_link_id=1&resource_link_title=tool&resource_link_description=&user_id=2&roles=Instructor%2Curn%3Alti%3Asysrole%3Aims%2Flis%2FAdministrator&context_id=2&context_label=My+first+course&context_title=My+first+course&launch_presentation_locale=en&lis_result_sourcedid=%7B%22data%22%3A%7B%22instanceid%22%3A%221%22%2C%22userid%22%3A%222%22%2C%22launchid%22%3A449414780%7D%2C%22hash%22%3A%2226f6510ff6e91e1a7814805190c01a9e9d02575de135d7a1483a70626bae8782%22%7D&lis_outcome_service_url=http%3A%2F%2Fdemo.moodle.net%2Fmod%2Flti%2Fservice.php&lis_person_name_given=Admin&lis_person_name_family=User&lis_person_name_full=Admin+User&lis_person_contact_email_primary=demo%40moodle.a&ext_lms=moodle-2&tool_consumer_info_product_family_code=moodle&tool_consumer_info_version=2014051202&oauth_callback=about%3Ablank<i_version=LTI-1p0<i_message_type=basic-lti-launch-request&tool_consumer_instance_guid=demo.moodle.net&launch_presentation_return_url=http%3A%2F%2Fdemo.moodle.net%2Fmod%2Flti%2Freturn.php%3Fcourse%3D2%26launch_container%3D3%26instanceid%3D1&oauth_signature_method=HMAC-SHA1&oauth_signature=JmFLDbhi%2FstYEFTSNA%2F44biCQkM%3D&ext_submit=Press+to+launch+this+activity
source to share
I solved this a while ago and although it might come in handy for anyone looking for a solution.
Let's start by getting the oauth lib: https://www.nuget.org/packages/Microsoft.Owin.Security.OAuth/
// parse out the signature from the http req.
ProviderRequest providerRequest = new ProviderRequest();
providerRequest.ParseRequest(httpRequest, false);
String httpSig = providerRequest.Signature;
// now generate a new signature from our secret
String generatedSig = GenerateOAuthSignature(secret, req);
if( generatedSig == httpSig ){
// valid oauth request
}
Generating the OAuthSignature is part of the owin lib, but that's where the code does:
internal static string GenerateSignatureBase(string httpMethod, Uri url, NameValueCollection parameters)
{
var normalizedUrl = string.Format("{0}://{1}", url.Scheme, url.Host);
if (!((url.Scheme == "http" && url.Port == 80) || (url.Scheme == "https" && url.Port == 443)))
{
normalizedUrl += ":" + url.Port;
}
normalizedUrl += url.AbsolutePath;
StringBuilder signatureBase = new StringBuilder();
signatureBase.Append(httpMethod.ToRfc3986EncodedString().ToUpper()).Append('&');
signatureBase.Append(normalizedUrl.ToRfc3986EncodedString()).Append('&');
var excludedNames = new List<string> { OAuthConstants.SignatureParameter };
signatureBase.Append(parameters.ToNormalizedString(excludedNames).ToRfc3986EncodedString());
return signatureBase.ToString();
}
/// <summary>
/// Generates a signature using the specified signatureType
/// </summary>
/// <param name="httpMethod">The http method used</param>
/// <param name="url">The full url to be signed</param>
/// <param name="parameters">The collection of parameters to sign</param>
/// <param name="consumerSecret">The OAuth consumer secret used to generate the signature</param>
/// <returns>A base64 string of the hash value</returns>
public static string GenerateSignature(string httpMethod, Uri url, NameValueCollection parameters, string consumerSecret)
{
var signatureBase = GenerateSignatureBase(httpMethod, url, parameters);
// Note that in LTI, the TokenSecret (second part of the key) is blank
HMACSHA1 hmacsha1 = new HMACSHA1();
hmacsha1.Key = Encoding.ASCII.GetBytes(string.Format("{0}&", consumerSecret.ToRfc3986EncodedString()));
var dataBuffer = Encoding.ASCII.GetBytes(signatureBase);
var hashBytes = hmacsha1.ComputeHash(dataBuffer);
return Convert.ToBase64String(hashBytes);
}
source to share
LTI is a communication protocol defined by the IMS Global Learning Consortium that enables the secure integration of remote tools and content from tool providers (TPs) into the Tool Consumer (TC).
The signature is generated, as in OAuth 1.0, by sorting all request parameters, adding the consumer key, timestamp and nonce, and combining them together using a shared secret. You must verify the signature and invoke the requested link for an authenticated request.
In RFC 5849 you can find related documentation and examples for this.
token
A unique identifier issued by the server and used by the client
to associate authenticated requests with the resource owner
whose authorization is requested or has been obtained by the
client. Tokens have a matching shared-secret that is used by
the client to establish its ownership of the token, and its
authority to represent the resource owner.
The original community specification used a somewhat different
terminology that maps to this specifications as follows (original
community terms provided on left):
Consumer: client
Service Provider: server
User: resource owner
Consumer Key and Secret: client credentials
Request Token and Secret: temporary credentials
Access Token and Secret: token credentials
Also check this: Startup check .
source to share