-
-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nonce timing issue #1453
Comments
I certainly know when and how such a message is issues, as I added the code to do that. One of the known causes of LTI problems is that the WeBWorK server and the LMS had significant differences in their clocks, and several forum threads have discussed problems in such cases. Time differences cause problems both with authentication and with grade pass-back. In terms of authentication, by default (the setting from The code was added to report when the difference is more than 5 second, which was intended to help determine when there are potential problems brewing. The threshold for triggering the message is set in LTIAdvanced.pl by If the only problem is the warning being issues too frequently, we probably should increase the threshold. |
I think there is a more significant issue. (Or perhaps the following is unrelated.) An instructor is using
Could "Duplicate nonce detected" have to do with this timing issue? |
Yes. See: https://webwork.maa.org/moodle/mod/forum/discuss.php?d=4906#p14795 and https://webwork.maa.org/moodle/mod/forum/discuss.php?d=4770#p14262 where Larry Riddle explained that Canvas reports such a duplicate nonce error when the WeBWorK time in the LTI grade-passback message is more than one minute ahead (or 5 minutes behind) the time in Canvas. The other possibility is a real detection of a duplicate nonce, as from my investigation Canvas does store the nonces it receives for a period of time to implement the intended avoidance of nonce-reuse. The changes in how nonces are built by WW in #1177 uses 2 parts, one which depends on the |
This is happening with at least one (possibly two) schools that are using Runestone WeBWorK hosting. Both are using Canvas. In each case, the reported clock difference is only 8 seconds, so it seems that it is not the +1min/-5min issue. But also it happens most of the time, not just occasionally, so it doesn't sound like it's the other issue either. (If it were that issue, this is a 2.16 server, so it has your work from #1177.) Would a duplicate nonce issue also affect mass updates? I would assume yes, but something in one of those forum posts suggested otherwise. The mass update interval is set to just one hour, and that is not helping. Meaning, the Canvas grades are still not updating even a day later with activity in the course. I'm reaching a point where I will advise them to get more technical assistance from their Canvas management to diagnose the issue more and get to the root cause for "duplicate nonce detected" errors in this case. |
It does seem necessary to get some help from the Canvas side. From the Canvas code on GitHub (assuming I'm looking at the correct code):
The duplicate nonce issue will certainly effect grade-passback also for mass updates, as when the LMS detects a duplicate nonce, it is not supposed to accept the LTI message. Sarunas Burdulis had some grade-passback issues, and reported testing with both the old code, and the "new" nonce code in https://webwork.maa.org/moodle/mod/forum/discuss.php?d=4906 at which time both the old method and the new were working for grade passback on submit. |
I think #1464 will fix the bug. |
The grade passback bug was fixed by #1464 . We have dropped the code to warn about clock differences unless |
@drgrice1 and I were recently in a hotel with poor wifi and noticed a timing issue with nonces when we connected to a WW course through each of our school's LMSes. Since then, I've had this reported from some other instructors. Here is a screenshot from one course where the error is reported:
There is an 8 second difference here. IIRC, @drgrice1 and I each saw a 7 second difference.
@taniwallach is this something that makes sense to you?
The text was updated successfully, but these errors were encountered: