LTI 1.3 Integration with MDL 4 and Canvas

LTI 1.3 Integration with MDL 4 and Canvas

by jeff mayer -
Number of replies: 4

Getting the following error when trying to use MDL 4 as a 1.3 LTI Provider to Canvas. Working properly when connecting MDL to MDL just not with Canvas.  Any thoughts would be helpful

Exception - Could not find registration details

More information about this error

×Debug info:
Error code: generalexceptionmessage

×Stack trace:
  • line 120 of /lib/lti1p3/src/LtiOidcLogin.php: Packback\Lti1p3\OidcException thrown
  • line 63 of /lib/lti1p3/src/LtiOidcLogin.php: call to Packback\Lti1p3\LtiOidcLogin->validateOidcLogin()
  • line 77 of /enrol/lti/login.php: call to Packback\Lti1p3\LtiOidcLogin->doOidcLoginRedirect()


Connect

2

3


Average of ratings: -
In reply to jeff mayer

Re: LTI 1.3 Integration with MDL 4 and Canvas

by Jake Dallimore -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers
Hi Jeff,

I've just checked this locally again (Canvas over docker <==> localhost Moodle 4.0) and can confirm it works as expected in my perhaps limited test scenario. That error certainly looks like it's having trouble finding the registration based on the tuple of {issuer, clientid}, probably because you've got the issuer set to the XXX/api/lti/authorize_redirect endpoint, instead of " https://canvas.instructure.com" (which is what I have as per the docs).

I'd suggest trying that and seeing how you go. If you have any more trouble, post back here and I'll do my very best to help

Cheers,
Jake
Average of ratings: -
In reply to Jake Dallimore

Re: LTI 1.3 Integration with MDL 4 and Canvas

by jeff mayer -
Ok thanks for clarifying this. I changed the URL to reflect Canvas. Now I"m getting this error

Exception - Unable to find public key.

More information about this error

×Debug info:
Error code: generalexceptionmessage
×Stack trace:
line 302 of /lib/lti1p3/src/LtiMessageLaunch.php: Packback\Lti1p3\LtiException thrown
line 385 of /lib/lti1p3/src/LtiMessageLaunch.php: call to Packback\Lti1p3\LtiMessageLaunch->getPublicKey()
line 128 of /lib/lti1p3/src/LtiMessageLaunch.php: call to Packback\Lti1p3\LtiMessageLaunch->validateJwtSignature()
line 71 of /enrol/lti/launch.php: call to Packback\Lti1p3\LtiMessageLaunch->validate()

I did notice something in the Scheduler logs

Fatal error: Cannot declare class OAuthException, because the name is already in use in /var/app/current/moodle/enrol/lti/ims-blti/OAuth.php on line 0
Average of ratings: -
In reply to jeff mayer

Re: LTI 1.3 Integration with MDL 4 and Canvas

by Jake Dallimore -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers
Hi Jeff,

How are you setting this up? Are you also using a docker setup for Canvas? Helps to know because I ran into some configuration hurdles with the containers myself when testing this.

That fatal error isn't likely related to anything here - there's no usage of any OAuthException in enrol/lti, at least in the LTI Advantage code. That's all legacy code and hasn't been changed.

With regards to the public key failure, that error you're seeing occurs when the public keys could be fetched from the canvas JWKS but when parsing the keyset, Moodle was unable to find the key corresponding to the 'kid' field in the JWT header. I suspect that there's a mismatch happening somewhere. Worth checking the output of the jwks endpoint too (api/lti/security/jwks) just to make sure that's working as expected.

Also, I just noticed your authentication request URL (in the Moodle screenshot above) is set incorrectly. That should be SITE/api/lti/authorize_redirect, but will be unrelated to the public key issues you're seeing now.
Average of ratings: -
In reply to jeff mayer

Re: LTI 1.3 Integration with MDL 4 and Canvas

by Jake Dallimore -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers
I'd also like to point out that because we're using firebase/php-jwt, we require the inclusion of 'alg' in the JWK. See https://github.com/firebase/php-jwt/blob/main/src/JWK.php#L86-L89. By default, the containerised Canvas I was using wasn't including this and required a config change to config/dynamic_settings.yml to include "alg": "RS256" in the keys.

It seems this is included in the official jwk at https://canvas.instructure.com/api/lti/security/jwks, just not in the dev stuff.

Might be useful to someone.

Jake
Average of ratings: -