Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67693

"Message signature not valid" when accessing gradebook using LTI 1.1

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.8.1
    • Fix Version/s: None
    • Labels:
      None
    • Affected Branches:
      MOODLE_38_STABLE

      Description

      When accessing the gradebook via LTI 1.1, an error message is returned, indicating that there was a problem verifying the message signature.

      Sending a read result request to mod/lti/service.php/1234/lineitems returns

      <?xml version="1.0" encoding="UTF-8"?>
      <imsx_POXEnvelopeResponse xmlns="http://www.imsglobal.org/services/ltiv1p1/xsd/imsoms_v1p0">
      <imsx_POXHeader>
      <imsx_POXResponseHeaderInfo>
      <imsx_version>V1.0</imsx_version>
      <imsx_messageIdentifier>566912918</imsx_messageIdentifier>
      <imsx_statusInfo>
      <imsx_codeMajor>failure</imsx_codeMajor>
      <imsx_severity>status</imsx_severity>
      <imsx_description>Message signature not valid</imsx_description>
      <imsx_messageRefIdentifier />
      <imsx_operationRefIdentifier>unknownRequest</imsx_operationRefIdentifier>
      </imsx_statusInfo>
      </imsx_POXResponseHeaderInfo>
      </imsx_POXHeader>
      <imsx_POXBody>
      <unknownResponse />
      </imsx_POXBody>
      </imsx_POXEnvelopeResponse>

      Looking for the error message in the Moodle source yielded this code snippet in service.php:

      if ($toolproxy !== false) {
      $secrets = array($toolproxy->secret);
      } else if (!empty($tool)) {
      $secrets = array($typeconfig['password']);
      } else {
      $secrets = lti_get_shared_secrets_by_key($consumerkey);
      }
      $sharedsecret = lti_verify_message($consumerkey, lti_get_shared_secrets_by_key($consumerkey), $rawbody);
      if ($sharedsecret === false) {
      throw new Exception('Message signature not valid');
      }

      Obviously the variable $secrets is never used, but thrown away and another call to lti_verify_message is performed. Lacking a local test installation of Moodle, I do not know whether this is the cause of my original issue, but it does not look like this is intended.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            JanWichelmann Jan Wichelmann
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: