Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Canvas: {Message}:{"Could not validate request."}? #125

Closed
pkelders opened this issue May 7, 2021 · 15 comments
Closed

Canvas: {Message}:{"Could not validate request."}? #125

pkelders opened this issue May 7, 2021 · 15 comments

Comments

@pkelders
Copy link

pkelders commented May 7, 2021

LTI Application does not load error: {"Message":"Could not validate request"}

Describe the issue
I'm in the process of connection our self hosted canvas. We get {Message}:{"Could not validate request."}.

Following the: LTI Application does not load error: {"Message":"Could not validate request"} dit not resolve the issue.

In LtiAdvantageLaunch I found this exception:

Could not validate request. Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'System.String'. Did not match: validationParameters.ValidIssuer: 'System.String' or validationParameters.ValidIssuers: 'System.String'. at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateIssuer(String issuer, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Edna.Bindings.LtiAdvantage.Utils.LtiAdvantageExtensions.GetValidatedLtiLaunchClaims(HttpRequest request, String jwkSetUrl, String clientId, String issuer) in C:\Users\lti-user\Documents\LTI-tool\Learn-LTI\backend\Bindings\Edna.Bindings.LtiAdvantage\Utils\LtiAdvantageExtensions.cs:line 46 at Edna.Bindings.LtiAdvantage.Services.LtiResourceLinkRequestClient.GetLtiResourceLinkRequest(String jwkSetUrl, String clientId, String issuer) in C:\Users\lti-user\Documents\LTI-tool\Learn-LTI\backend\Bindings\Edna.Bindings.LtiAdvantage\Services\LtiResourceLinkRequestClient.cs:line 25 at Edna.Connect.LtiAdvantageApi.LtiAdvantageLaunch(HttpRequest req, ILtiResourceLinkRequestClient ltiRequestClient, INrpsClient nrpsClient, Platform platform, IAsyncCollector`1 assignmentsCollector, IDurableEntityClient entityClient, String platformId) in C:\Users\lti-user\Documents\LTI-tool\Learn-LTI\backend\Functions\Edna.Connect\LtiAdvantageApi.cs:line 86

I use https://canvas.instructure.com as Issuer?
@leestott
Copy link
Contributor

@pkelders

Hi this issue is documented at https://github.com/microsoft/Learn-LTI/blob/main/docs/TROUBLESHOOTING.md

LTI Application does not load error: {"Message":"Could not validate request"}

This issue is typically related to one of the following:

Check if you have a valid 3rd Party Signed SSL. This services requires a valid 3rd party SSL certificate, self signed SSL certificates are not valid. Please ensure your service is using https:// with a valid SSL certification.

Check the Launch URL, please make sure that all the fields are correctly filled while registering the tool and filling tool's platform registration page. See https://github.com/microsoft/Learn-LTI/blob/main/docs/CONFIGURATION_GUIDE.md

Check the Azure Function/Azure Logs see https://github.com/microsoft/Learn-LTI/blob/main/docs/TROUBLESHOOTING.md#azure-functions-tracing

@leestott
Copy link
Contributor

Hi @pkelders

Did the instructions unblock you and did you manage to get the LTI Application successfully installed? Can we close the issue?

@pkelders
Copy link
Author

pkelders commented May 12, 2021 via email

@leestott
Copy link
Contributor

@pkelders not a problem could you share a screenshot or the specific field section of the setup guide your having trouble completing.

Ensure you follow the guidance from the setup docs and your using the details provided when you ran the initial scripts to create your environment.

@pkelders
Copy link
Author

Below are some images...
Microsoft Learn_ - https___learnclient
FireShot Capture 121 - Opdracht maken - https___canvas eduframe nl_courses_177740_assignments_new
FireShot Capture 124 - - https___connect-ofowgdohf azurewebsites net_api_lti-advantage-launch_f1

)

@leestott
Copy link
Contributor

@pkelders
Just for info when providing screenshots with private key details we suggest your blur out this information

As per https://github.com/microsoft/Learn-LTI/blob/main/docs/CONFIGURATION_GUIDE.md ensure the issuer is https://canvas.instructure.com

Please sure you have used the following steps that how to register the parameters back in the Learn LTI application's registration page.

Open the tool registration page from your browser.
Enter the following information:
Display name: give the tool a name of your choice.
Issuer: enter https://canvas.instructure.com
JWK Set URL: enter https://[tenant-name].instructure.com/api/lti/security/jwks
Access Token URL: enter https://[tenant-name].instructure.com/login/oauth2/token
Authorization URL: enter https://[tenant-name].instructure.com/api/lti/authorize_redirect NOTE: [tenant-name] is where your Canvas tenant name hosted by instructure. For example if the url of the LMS is https://canvas.instructure.com, then the [tenant-name] is "canvas". If you are using self-hosted Canvas, replace https://[tenant-name].instructure.com with your canvas URL.
Client ID: enter "Client ID" from the LTI key registration.
Optionally, you can add your Institution name and logo on the registration page.
Click SAVE REGISTRATION.

@leestott
Copy link
Contributor

@pkelders

Sorry did the above unblock you if not please contact us via email and we will happy schedule a call learnlti@microsoft.com

@pkelders
Copy link
Author

pkelders commented May 20, 2021 via email

@pkelders
Copy link
Author

One question I've got from my support team:
Is the "Can Lookup Account Information" Important? Because it's not in their services list.

Peter

@leestott
Copy link
Contributor

leestott commented May 25, 2021
edited

@pkelders Hi Peter so as per step 6. are you using Canvas, what version are you using?

The following steps show how to configure an LTI tool on a Canvas LMS.

LTI 1.1 - At this time, we do not support LTI 1.1 with Canvas LMS. Hence my question above..

For LTI 1.3 you need to configure the following under the LTI Advantage Services

Enable the following options:

Can create and view assignment data in the gradebook associated with the tool.
Can view assignment data in the gradebook associated with the tool.
Can view submission data for assignments associated with the tool.
Can create and update submission results for assignments associated with the tool.
Can retrieve user data associated with the context the tool is installed in.
Can lookup Account information
Can list categorized event types.

The reason for enabling Can lookup Account information is to check if this is account type is a student or teacher etc.. If you options doesn't include this then it may not be appropriate but you may have issues identifying role types.

Please share a screenshot or send more details to learnlti@microsoft.com

@Soloresq
Copy link

I had the same issue when using the bitnami image in azure.
I created the following file in canvas system:
/opt/bitnami/apps/canvaslms/htdocs/config/dynamic_settings.yml copying the content from existing /opt/bitnami/apps/canvaslms/htdocs/config/dynamic_settings.yml.example and added following lines below (secrets adjusted):

production:
  store:
    canvas:
      lti-keys:
        jwk-past.json: "{\"p\": \"12345MySecret67890\",\"kty\": \"RSA\",\"q\": \"12345MySecret67890\",\"d\": \"12345MySecret67890\",\"e\": \"AQAB\",\"use\": \"sig\",\"kid\": \"sig-16mysig48\",\"qi\": \"12345MySecret67890\",\"dp\": \"12345MySecret67890\",\"alg\": \"RS256\",\"dq\": \"12345MySecret67890\",\"n\": \"12345MySecret67890\"}"
        jwk-present.json: "{\"p\": \"12345MySecret67890\",\"kty\": \"RSA\",\"q\": \"12345MySecret67890\",\"d\": \"12345MySecret67890\",\"e\": \"AQAB\",\"use\": \"sig\",\"kid\": \"sig-16mysig48\",\"qi\": \"12345MySecret67890\",\"dp\": \"12345MySecret67890\",\"alg\": \"RS256\",\"dq\": \"12345MySecret67890\",\"n\": \"12345MySecret67890\"}"
        jwk-future.json: "{\"p\": \"12345MySecret67890\",\"kty\": \"RSA\",\"q\": \"12345MySecret67890\",\"d\": \"12345MySecret67890\",\"e\": \"AQAB\",\"use\": \"sig\",\"kid\": \"sig-16mysig48\",\"qi\": \"12345MySecret67890\",\"dp\": \"12345MySecret67890\",\"alg\": \"RS256\",\"dq\": \"12345MySecret67890\",\"n\": \"12345MySecret67890\"}"

Such a key can be generated here Make sure you escape the keys correctly. It is three times the same key, and yes you need all the with exactly that file names in front.
After that, you need to restart canvas using sudo /opt/bitnami/ctlscript.sh restart

Note: Take care when editing the file, it needs 'lf' not 'clr' 'lf' format!

@leestott
Copy link
Contributor

leestott commented Jun 30, 2021
edited

@Soloresq Thanks for this so by undertaking this step does the service now work?

I had the same issue when using the bitnami image in azure.
I created the following file in canvas system:
/opt/bitnami/apps/canvaslms/htdocs/config/dynamic_settings.yml copying the content from existing /opt/bitnami/apps/canvaslms/htdocs/config/dynamic_settings.yml.example and added following lines below (secrets adjusted):

production:
  store:
    canvas:
      lti-keys:
        jwk-past.json: "{\"p\": \"12345MySecret67890\",\"kty\": \"RSA\",\"q\": \"12345MySecret67890\",\"d\": \"12345MySecret67890\",\"e\": \"AQAB\",\"use\": \"sig\",\"kid\": \"sig-16mysig48\",\"qi\": \"12345MySecret67890\",\"dp\": \"12345MySecret67890\",\"alg\": \"RS256\",\"dq\": \"12345MySecret67890\",\"n\": \"12345MySecret67890\"}"
        jwk-present.json: "{\"p\": \"12345MySecret67890\",\"kty\": \"RSA\",\"q\": \"12345MySecret67890\",\"d\": \"12345MySecret67890\",\"e\": \"AQAB\",\"use\": \"sig\",\"kid\": \"sig-16mysig48\",\"qi\": \"12345MySecret67890\",\"dp\": \"12345MySecret67890\",\"alg\": \"RS256\",\"dq\": \"12345MySecret67890\",\"n\": \"12345MySecret67890\"}"
        jwk-future.json: "{\"p\": \"12345MySecret67890\",\"kty\": \"RSA\",\"q\": \"12345MySecret67890\",\"d\": \"12345MySecret67890\",\"e\": \"AQAB\",\"use\": \"sig\",\"kid\": \"sig-16mysig48\",\"qi\": \"12345MySecret67890\",\"dp\": \"12345MySecret67890\",\"alg\": \"RS256\",\"dq\": \"12345MySecret67890\",\"n\": \"12345MySecret67890\"}"

Such a key can be generated here Make sure you escape the keys correctly. It is three times the same key, and yes you need all the with exactly that file names in front.
After that, you need to restart canvas using sudo /opt/bitnami/ctlscript.sh restart

Note: Take care when editing the file, it needs 'lf' not 'clr' 'lf' format!

@Soloresq Thanks for this so by undertaking this step does the service now work successfully? If YES I we add this to the troubleshooting doc. I see this is issue with hosted canvas https://community.canvaslms.com/t5/Canvas-Question-Forum/Public-JWKS-URL-is-not-working/td-p/225583

@Soloresq
Copy link

@leestott Yes, for me that made it work. Yes, the comments in the issue you mentioned helped me a lot.

@leestott
Copy link
Contributor

@Soloresq thanks for the confirmation @pkelders this solution may unblock you.

@leestott
Copy link
Contributor

leestott commented Jul 5, 2021

Troubleshooting guide updated to include these instructions to unblock users.

@leestott leestott closed this as completed Jul 5, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@leestott @pkelders @Soloresq