I am trying to develop an LTI 2.0 tool provider. I have Moodle running locally on my machine and have opened it up to the world via ngrok. (This also allows me to inspect the HTTP requests.) I can get Moodle to configure the external tool, add it to a site, and do a BLTI launch successfully.
I'm am trying to then use the credentials to access Moodle's membership service to get a course roster list. Whenever I try to access it, I'm getting a 401 error. However, if I go to http://lti.tools/test/tp.php, set up the OAuth credentials in the "Consumer" tab then go to the "Membership" tab and issue the request to my server, it works.
Looking at the raw HTTP request in ngrok, everything looks like it should work for my request. I've verified that the steps taken to generate the OAuth signature produce the same signature as the working request, so they should create a good signature for my request too.
Example of the HTTP Requests:
Good request from lti.tools — receives a 200 response with the data:
GET /mod/lti/services.php/links/1/memberships?limit=25 HTTP/1.1 Host: 6aecef01.ngrok.io Authorization: OAuth oauth_version="1.0",oauth_nonce="8ff57ef6c3069d9a00c4880b719d3587",oauth_timestamp="1492697465",oauth_consumer_key="PwU3QQ5su9p3FJe",oauth_body_hash="2jmj7l5rSw0yVb%2FvlWAYkK%2FYBwk%3D",oauth_signature_method="HMAC-SHA1",oauth_signature="fy7ik8IeKE9Fo%2BFNVb6cwPmsSz8%3D" Accept: application/vnd.ims.lis.v2.membershipcontainer+json X-Forwarded-For: 22.214.171.124
Bad request from my tool provider — receives a 401 response:
GET /mod/lti/services.php/links/1/memberships?limit=25 HTTP/1.1 Accept: application/vnd.ims.lis.v2.membershipcontainer+json Host: 6aecef01.ngrok.io Authorization: OAuth oauth_version="1.0",oauth_nonce="88a937b722722ad6056751bb1948819c",oauth_timestamp="1492697466",oauth_consumer_key="PwU3QQ5su9p3FJe",oauth_body_hash="2jmj7l5rSw0yVb%2FvlWAYkK%2FYBwk%3D",oauth_signature_method="",oauth_signature="ffP9X937aSmmgJrNr%2B%2BtdFRwbpw%3D" X-Forwarded-For: 2601:845:c200:d227:bd16:9504:5ced:6dd3
Does anyone have any insight on what I may be missing, or know if the source code for lti.tools is available somewhere?