-
-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Grade ScorePublish code 400 bad request with Canvas #8
Comments
Hello, thanks for posting this issue. I've actually had a hard time getting lti 1.3 to work with canvas, last time i tried their implementation didn't seem complete. I'll take some time tomorrow morning to look into this issue and see if i can fix it or at least find out whats going wrong. |
Hello @gentlemanjohn , sorry it took me this long to follow up on this, i've been very busy. In the meantime, can you tell me how are you configuring your LTIJS? |
@Cvmcosta no problem, I've been pulled away from this the last few weeks as well. Yes, our instance is hosted by Instructure. Here is my LTI provider config:
Platform:
|
@gentlemanjohn Hello, can you tell me what public key you are using in the canvas External tool registration? If i understand correctly, Canvas accepts either a JWK Set endpoint (which LTIJS does not support yet), or a JWK key. Did you convert the RSA public key generated to JWK? |
Hey @Cvmcosta I had to set up my Canvas Developer Key again (our test instance of Canvas is reset every few weeks) and now I'm having a hard time reproducing the error. I'm getting directed to invalidToken when I try to connect. I thought I had set everything up in Canvas and LTIjs the same way, but obviously I'm doing something else wrong now. To your question: I'm not sure what you mean by In the Canvas Developer Key setup, the required "JWK Method" field will accept "Public JWK" (with corresponding text box to paste a JWK) or "Public JWK URL." I selected "Public JWK" and pasted in the following:
I'll play around some more, but hopefully that gives you some insight... |
Hi @gentlemanjohn , i think i know what is going on. This jwk key canvas requires is used to get the access token, LTIJS uses the corresponding private key to sign the request for the access token and them Canvas (any lms) uses the public key to verify that request and return the token. So now you have two options (assuming you are able to return to the state of the initial error), you can either convert the public RSA key of your platform (canvas) to jwk and pass that to canvas, or wait until i implement the jwk key set, which will take about a week. You can get the RSA key like this: lti.getPlatform('https://canvas.test.instructure.com').then(async plat => {
console.log(await plat.platformPublicKey())
}) And then you can convert that rsa key to jwk here. Use the key in the Canvas registration and let me know if it worked. Im hoping that fixes (Or at least changes) the problem :) |
I've also no luck with Grade.ScorePublish and Moodle. All I get, at best, is I'm also interested in that "Names and Role Provisioning Services" and for that I have to add a scope in the Auth.js file in
|
@haraldschilly Did you configure moodle with the public key generated by ltijs for that specific platform? |
@Cvmcosta yes, I copied over the public key I got via |
@haraldschilly Okay, please let me know how it goes. I'm working on a step by step tutorial for setting up and sending grades. |
@Cvmcosta well, I did reset and reconfigure everything, but I still get the same error. Please let me know if you have a guide ready, I would really appreciate it :-) |
@haraldschilly I wrote a tutorial on medium, here. I think the issue might be the request to the route you are using to send the grade. It needs to receive the ltik token through the query parameters. So if you are calling '/sendgrade' from the client, you should call '/sendgrade?ltik=LTIKKEY'. This key is passed to every route you call with lti.redirect, and can be retrieved in the client with:
|
Hi @Cvmcosta @haraldschilly @gentlemanjohn , I have an issue that
here when I run the server I am getting the RSA key and I converted it then configure it in the tool on Canvas. I tried to set secure to true and false but nothing is happening there. Then after
The Canvas configuration looks like this: Redirect URIs: I also tried to move Thanks |
@MahmoudAbdo90 Okay, i got it working with self hosted canvas. Launching and Grade generation are both working perfectly, later today i will comment here again detailing my setup and adapting your code to hopefully make it work. I can say right now that your issues probably also come from how you are setting up your routes ex: it would be somthing like this: You dont have to specify the domain, the configurations expect only the route portion of the url. Same thing here: it should be: and here: also, you should not register a route with the same path as the "main appUrl" route, when you assign a route to appUrl, it is handled by lti.onConnect, if you then register a route with the same path, it may cause confusion. So you should delete this bit here:
|
@MahmoudAbdo90 Small update. I went ahead and created a keyset endpoint to facilitate registration within canvas, now you dont have to convert the RSA keys anymore. I'll upload the new version and update the documentation early tomorrow (29/12), as well as write the tutorial i talked about earlier today, and maybe some docker example images. |
@MahmoudAbdo90 Okay so here is the code i think should work:
The canvas configuration should look like this: Redirect URIs: http://lvh.me:3000/lti This should get the tool to at least launch. |
@Cvmcosta Yes man, that will be great if you have an endpoint to provide the keys. Thanks man and great work |
Hi, I looked into your nice tutorial, really helpful! ... but after trying some changes in my code I'm still struggling with it just like before. Then, I copied exactly the example code of yours, did a few minor modifications, and it still fails. Essentially, the changes were:
The problem is: the I'm really wondering what's going on. Maybe I'll just get rid of the moodle setup I have and hope a new one in the next year will help 😄 🙈 |
@haraldschilly I am also facing the same thing, with Canvas and Moodle not sure what could be the reason though ! |
@haraldschilly So you're able to launch the application, you just can't send a grade right? Can you run your code in debug mode like so |
@MahmoudAbdo90 With the updated code, are you able to launch to canvas? |
@Cvmcosta yes, I can launch it, it works as I would expect. I even tried to open it in a new window to avoid any troubles with an iframe. Here is the debug output:
I copied the public key and here is a screenshot of these extra settings in moodle |
@haraldschilly I think I have an idea of what might be happening. What is the database plugin you are using? I think the database plugin is not rotating the access token, so you are getting an old one. I see the logs mention retrieving an access token, instead of generating a new one. I can fix this bug directly on the plugin. |
@Cvmcosta ah, interesting. well, I'm using your example code, from the blogpost, with a few modifications. Here is the setup:
|
In case it matters, it's the default mongodb from ubuntu 18.04, i.e. |
@haraldschilly I see, you are using the default database plugin. So maybe there was an issue with that. But if you have direct access to the database (with NoSqlBooster for example) you can just delete the accesstokens table or the access tokens within it. If i am correct there should be an access token stored in it that should have been auto deleted some time ago. |
Hello @iceekreeam, the problem is most likely in the registration, both in the tool and in the platform. Here you can find links explaining the Canvas Setup process. A quick summary:
await lti.registerPlatform({
url: 'https://canvas.test.instructure.com ',
name: ' canvas instance',
clientId: 'api clientID',
authenticationEndpoint: 'https://domain.test.instructure.com/api/lti/authorize_redirect',
accesstokenEndpoint: 'https://domain.test.instructure.com/login/oauth2/token',
authConfig: { method: 'JWK_SET', key: 'https://domaintest.instructure.com/api/lti/security/jwks' }
})
Can you share your Tool Configuration inside canvas? |
Hi @Cvmcosta thanks so much for a prompt reply. I'm really keen to get this working. I made a mistake earlier. My organisation's instance of canvas is actually hosted with instructure (not self hosted). I think the issue might be that i'm to request a token from a https:// instance of canvas while my ltijs demo server is on my local host http. I've been told that Canvas might reject requests in these circumstances. this might mean i have to host this test server on AWS lambda. in any case i have a screen shot of the tool config. Would be great to get your thoughts if there's anything else i can try |
It is possible that your requests are being blocked for being http, but i also spotted a couple of configuration issues in Canvas:
|
Hi @Cvmcosta originally i had the target link URI point at the test client App which was on port 3001. However i've made the changes you mentioned. |
I'd suggest trying to host this code to see if the http vs https issue is affecting something. It looks like your configuration is correct, did you delete and recreate the app after you updated the key settings? Canvas only applies the new setting to new apps. My suggestions are:
I'd test these in order and see if something changes. As i said, your configuration looks fine, so maybe it's just not being applied. |
Hi all -- was anyone ever able to solve this issue? I too am having difficulty posting grades to Canvas, and would love to see some working sample code. Thank you. |
Hello @bennytheshap, many times this issue come from a configuration mistake. Can you please show me your error logs so i can get a better idea of what is the problem. Also, what version of Ltijs are you using? |
@Cvmcosta Hi again just to keep the forum updated, i will be testing out your recommendations over the coming days. Once i have an update i will post back to the forum. Thanks again for the help. |
I am lost in these discussions on where exactly the tool's keyset should go. |
@GreenOn Hello, if you are talking about the Tool's keyset endpoint it is in the |
Thanks. No issues. I think I am getting some clarity on this.
And for the key in the platform registration will always come from the platform provider.
I think using the verbiage like JWKS or well-known URL's in the documentation can clear the confusion out. |
@GreenOn In the setup method, |
@Cvmcosta , I am getting ready to deploy this to our sever and test it. if that |
But Ltijs does provide you with a JWKS URL, by default is If you got to |
I see. So, would there be anyway for us to overwrite the URL given by Ltijs with our tool's current JWKS URL? |
I think that these JWKS URLs have different purposes, |
Aaaah, i think i get it. I don't see how you would be able to do this without altering Ltijs. You would have to change how Platforms are registered (to use Auth0 instead) and then change how these keys and Platforms are retrieved to get this data from Auth0. But have in mind that Ltijs already provides all of this functionality, i don't see a reason to use Auth0. As this person said, LTI doesnt have sign-in, it only uses the Client Credentials grant, and all of this functionality is already implemented. |
@Cvmcosta hey guys so i still haven't finished my testing but i did host the ltijs server on heroku so that both the LMS and the tool are on HTTPS. I can see that Canvas did eventually generate a token for me however theres still more work i need to do before im clear about any remaining issues. One thing i noticed is the LTIJS server picked up the target_uri from the initial launch and sent it back to the platform as the redirect_uri which is incorrect. I think i can manipulate it to work but i will get back to you all |
@iceekreeam can you tell me what exactly happened with the redirect_uri situation? Ltijs has a system in place where it strips the target link uri of query parameters and adds them back after the request is finished. That is done because some LMSs follow the oauth specification strictly, which does not allow dynamic parameters on the redirect_uri. And in doing so I can get Ltijs to work seemlessly between LMSs. |
@Cvmcosta so i listed my target uri as also one of the redirect uris and thats what got picked up by ltijs as the redirect_uri when it sent a response back to canvas in step 2 of the open id connect process. does that make sense? |
@iceekreeam I might be misunderstanding this somehow but i still dont see an issue with the redirect_uri, Ltijs sets the the final endpoint as the redirect_uri since it`s where the LMS should redirect to at the end of the login flow. I also had some issues with the production environment of Canvas but it was due to installation errors. |
@Cvmcosta Hi, no your probably right, im just trying to navigate my way through this. I'm not really certain if there was a definite issue. At this point my goal is to replicate deep linking, Am i correct in thinking i need to setup the Client demo Server and have that be my final redirect URI? Are your two demo apps designed to interact with each other? |
@iceekreeam Sorry i completely forgot about this issue and was only reminded of it because it was cited in another one. I don't know if you are still having this issue, but i think it's worth answering as it might help someone else. Your final redirect URI should be the same as the root where your app is running, example: |
I'll be closing this issue since it has now long deviated from the original topic. Any new problems should be reported in a new Issue. Ltijs integration with Canvas is working perfectly and i've learned a lot about the possible issues over the last couple of months and most of them are due to misconfiguration or other small mistakes. I am working on a FAQ section for Ltijs that will cover most of the common errors. |
@Cvmcosta Hi sorry as well its been a while. I think the source of my issues was that i was trying to use a production instance of canvas with https with my localhost that was running http. Once i put up the test server on Heroku i did get the two sides communicating. Unfortunately i didn't finish working on this as i didn't have the support of my employer to continue. I can say that i was satisfied this would work but obviously to make sure that both the server and canvas are hosted via https |
I'm having issues posting a grade in Canvas. I'm trying to run the following inside lti.onConnect() callback:
The following is the debug output:
error log:
I can see I don't have an access token in my database and lti.js is trying to get one from the platform. When I look at the console output of confjwt in Auth.js, it seems like I'm getting the appropriate client ID and endpoint (https://ouruniversity.test.instructure.com/login/oauth2/token) before the jwt sign, so I'm not sure why the request is bad.
Does anyone know what I might be doing wrong or can point me to where I can get more debug information?
The text was updated successfully, but these errors were encountered: