## WeBWorK Main Forum

### LTI authentication failed through Blackboard

by Bianca Sosnovski -
Number of replies: 15

Hi everyone,

After some updates our Webwork server were displaying different types errors that would come and go. It would be temporarily fixed by after restarting the Apache.

We decided to reinstall from scratch and use the backup files for courses and database.

The new server is running and is set up to run with LTI connection via Blackboard. Students only access webwork via the links posted on Blackboard. But the following error appears even though the new server uses the same settings for the previous server:

bsosnovski_MA119 uses an external authentication system. You've authenticated through that system, but aren't allowed to log in to this course.

Any suggestion where to look for fixing it?

Thank you.

### Re: LTI authentication failed through Blackboard

by Bianca Sosnovski -
I forgot to mention the settings in the authen_LTI.conf:

$debug_lti_parameters = 0; (when I set up to 1 it doesn't show any debug message)$debug_lti_grade_passback = 0;
$external_auth=0;$permissionLevels{change_password} = "ta";
$preferred_source_of_username = 'lis_person_sourcedid';$NonceLifeTime=60; ( changed this to 120 based on another post here in the Forum but didn't resolve the issue)
$LMSManageUserData=1;$permissionLevels{change_email} = "ta";
$LTIBasicToThisSiteURL = "http://webwork.qcc.cuny.edu/webwork2";$LTIGradeMode = "homework";
$LTIGradeOnSubmit = 1; In reply to Bianca Sosnovski ### Re: LTI authentication failed through Blackboard by Nathan Wallach - 1. Have a look at login.log and trigger a LTI login attempt and see what sort of message is being reported. You want to see a line which mention "credential_source=LTIAdvanced" even if is a failure line. 2. Make sure the LTIBasicConsumerSecret is set and consistent on both sides. 3. Make sure site.conf has an uncommented include("conf/authen_LTI.conf"); line. 4. Make sure the system time / date is correct. 5. Check the setting of server_root_url (pay attention to http vs https) and webwork_url and LTIBasicToThisSiteURL (if defined). 6. Maybe edit webwork2/lib/WeBWorK/Constants.pm to turn on and log debug data to a file. (Set$WeBWorK::Debug::Enabled = 1; and set a path using $WeBWorK::Debug::Logfile ) In reply to Nathan Wallach ### Re: LTI authentication failed through Blackboard by Bianca Sosnovski - Nathan, Thank you so much. I even didn't need to go over what you suggested because the new server was also running super slow and our IT decided to reinstall it again. Now everything is working fine. In reply to Nathan Wallach ### Re: LTI authentication failed through Blackboard by Wai Yan Pong - Hello, We are trying the same thing (BB--WW integration) and got the exact same error Test_Course_for_BB_integration uses an external authentication system. You've authenticated through that system, but aren't allowed to log in to this course We have tried what Nathan suggested with no avail. We also enabled the Debug log but not sure whether the follow part is relevant. Any suggestion on how this can be fixed? Many thanks [Mon Nov 16 08:33:54.743861 2020] WeBWorK::Authen::LTIAdvanced::authenticate: oauth_nonce->|364443565693028| [Mon Nov 16 08:33:54.743888 2020] WeBWorK::Authen::LTIAdvanced::authenticate: oauth_timestamp->|1605544433| [Mon Nov 16 08:33:54.743916 2020] WeBWorK::Authen::LTIAdvanced::authenticate: roles->|urn:lti:role:ims/lis/Learner| [Mon Nov 16 08:33:54.743944 2020] WeBWorK::Authen::LTIAdvanced::authenticate: oauth_version->|1.0| [Mon Nov 16 08:33:54.743972 2020] WeBWorK::Authen::LTIAdvanced::authenticate: lti_message_type->|basic-lti-launch-request| [Mon Nov 16 08:33:54.792732 2020] WeBWorK::Authen::LTIAdvanced::authenticate: LTIAdvanced::authenticate request-> verify failed [Mon Nov 16 08:33:54.792878 2020] WeBWorK::Authen::LTIAdvanced::authenticate: OAuth verification Failed [Mon Nov 16 08:33:54.793144 2020] WeBWorK::Authen::LTIAdvanced::verify_normal_user: auth_result=|0| [Mon Nov 16 08:33:54.793436 2020] WeBWorK::Authen::write_log_entry: Writing to login log: 'LOGIN FAILED OAuth verification failed. Check the Consumer Secret and that the URL in the LMS exactly matches the WeBWorK URL.slanaghan@csudh.edu - authentication failed: 0 user_id=slanaghan@csudh.edu login_type=normal credential_source=LTIAdvanced host=72.219.95.47 port=64477 UA=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36'. [Mon Nov 16 08:33:54.794059 2020] WeBWorK::Authen::verify: END VERIFY [Mon Nov 16 08:33:54.794115 2020] WeBWorK::Authen::verify: result 0 [Mon Nov 16 08:33:54.794152 2020] WeBWorK::dispatch: Bad news: authentication failed! In reply to Wai Yan Pong ### Re: LTI authentication failed through Blackboard by Danny Glin - The key message in there is "OAuth verification failed", which means that the information sent by BB doesn't exactly match what WeBWorK is expecting. Did you have this working previously? The first thing to check is exactly what the message suggests: make sure that the Consumer Secret that you have set in WeBWorK (probably in /opt/webwork/webwork2/conf/authen_LTI.conf) matches what you have entered in WeBWorK, and also that the URL used in BB matches the URL in WeBWorK, which includes checking$server_root_url in /opt/webwork/webwork2/conf/site.conf.

I also discovered that in my case leaving the Consumer Key blank in our LMS (we use D2L) caused problems.  As long as it was set to something then it worked.

### Re: LTI authentication failed through Blackboard

by Bianca Sosnovski -

Hi everyone.

I started this post in October but didn't need to follow up on the issue back then because we had a new installed of our Webwork server . But now we started to have the same issue again.

Some students (not all and students from different courses) started to have issue with the LTI login.  A similar message as below shows to them:

MA119-S21-BSosnovski-F24 uses an external authentication system. You've authenticated through that system, but aren't allowed to log in to this course"

This happens to students who were able to login before to access a homework assignments and then they were not able to login for some time. Some of students started to have access again days later.

I followed all the steps and checks listed above by Nathan, but nothing resolved the issue. The debug.log file says that "Failed to verify nonce". I have changed the $NonceLifeTime in the file authen_LTI.cong several times as suggested by other post in the forum. Each time set to a larger values (it is now 600) but didn't resolve the issue. Any idea what else to do or where to look for a possible solution? Thanks. ------------------------------ Here is a sample of the error as shown in the debug.log: [Thu Feb 04 14:00:25.214114 2021] WeBWorK::dispatch: The URLPath looks good, we'll add it to the request.[Thu Feb 04 14:00:25.214140 2021] WeBWorK::dispatch: Now we want to look at the parameters we got. [Thu Feb 04 14:00:25.214162 2021] WeBWorK::dispatch: The raw params: [Thu Feb 04 14:00:25.214398 2021] WeBWorK::dispatch: lis_person_name_given => 'Dxxxxx’ [Thu Feb 04 14:00:25.214446 2021] WeBWorK::dispatch: tool_consumer_instance_description => 'City University of New York' [Thu Feb 04 14:00:25.214473 2021] WeBWorK::dispatch: custom_caliper_federated_session_id => 'https://caliper-mapping.cloudbb.blackboard.com/v1/sites/7ecc20d6-ef11-43ac-a3bd-6cd9edce367b/sessions/4FD2074BFC558D49BDB2993E08DFD476' [Thu Feb 04 14:00:25.214498 2021] WeBWorK::dispatch: lis_result_sourcedid => 'bbgc52825049gi13011907' [Thu Feb 04 14:00:25.214522 2021] WeBWorK::dispatch: custom_caliper_profile_url => 'https://cunyprod.blackboard.com/learn/api/v1/telemetry/caliper/profile/_54925451_1' [Thu Feb 04 14:00:25.214546 2021] WeBWorK::dispatch: lis_person_sourcedid => ‘xxxxxxx’ [Thu Feb 04 14:00:25.214570 2021] WeBWorK::dispatch: user_id => 'f114c8e33ea84de486366b5f23e849cc' [Thu Feb 04 14:00:25.214594 2021] WeBWorK::dispatch: lis_outcome_service_url => 'https://bbhosted.cuny.edu/webapps/gradebook/lti11grade' [Thu Feb 04 14:00:25.214618 2021] WeBWorK::dispatch: lti_message_type => 'basic-lti-launch-request' [Thu Feb 04 14:00:25.214643 2021] WeBWorK::dispatch: ext_launch_presentation_css_url => 'https://bbhosted.cuny.edu/common/shared.css,https://bbhosted.cuny.edu/themes/as_2015/theme.css,https://bbhosted.cuny.edu/branding/_1_1/brand.css?ts=1577714075000' [Thu Feb 04 14:00:25.214667 2021] WeBWorK::dispatch: resource_link_id => '_54925451_1' [Thu Feb 04 14:00:25.214690 2021] WeBWorK::dispatch: launch_presentation_locale => 'en-US' [Thu Feb 04 14:00:25.214714 2021] WeBWorK::dispatch: oauth_consumer_key => 'Webwork' [Thu Feb 04 14:00:25.214738 2021] WeBWorK::dispatch: oauth_version => '1.0' [Thu Feb 04 14:00:25.214762 2021] WeBWorK::dispatch: context_title => '2021 Spring Term (1) Statistics MA 336 F24[45540] (Queensborough CC)' [Thu Feb 04 14:00:25.214785 2021] WeBWorK::dispatch: ext_launch_id => 'b1c249ed-1351-4305-9e27-a7abab84d8f8' [Thu Feb 04 14:00:25.214809 2021] WeBWorK::dispatch: roles => 'urn:lti:role:ims/lis/Learner' [Thu Feb 04 14:00:25.214833 2021] WeBWorK::dispatch: lis_person_contact_email_primary => ‘xxxx.xxxxxx@student.qcc.cuny.edu' [Thu Feb 04 14:00:25.214856 2021] WeBWorK::dispatch: oauth_callback => 'about:blank' [Thu Feb 04 14:00:25.214879 2021] WeBWorK::dispatch: ext_lms => 'bb-3800.0.7-rel.16+bf839b4' [Thu Feb 04 14:00:25.214903 2021] WeBWorK::dispatch: oauth_signature_method => 'HMAC-SHA1' [Thu Feb 04 14:00:25.214926 2021] WeBWorK::dispatch: custom_tc_profile_url => 'https://bbhosted.cuny.edu/learn/api/v1/lti/profile?lti_version=LTI-1p0' [Thu Feb 04 14:00:25.214950 2021] WeBWorK::dispatch: tool_consumer_instance_guid => '153e1b39d0e347519efa1253baed9da8' [Thu Feb 04 14:00:25.214973 2021] WeBWorK::dispatch: lis_person_name_family => 'Nxxxxx’ [Thu Feb 04 14:00:25.214997 2021] WeBWorK::dispatch: lti_version => 'LTI-1p0' [Thu Feb 04 14:00:25.215020 2021] WeBWorK::dispatch: lis_person_name_full => 'Dxxxxx Nxxxx Nxxx’ [Thu Feb 04 14:00:25.215043 2021] WeBWorK::dispatch: oauth_nonce => '3414564115058802' [Thu Feb 04 14:00:25.215072 2021] WeBWorK::dispatch: tool_consumer_instance_name => 'City University of New York' [Thu Feb 04 14:00:25.215097 2021] WeBWorK::dispatch: launch_presentation_return_url => 'https://bbhosted.cuny.edu/webapps/blackboard/execute/blti/launchReturn?course_id=_1982008_1&content_id=_54925451_1&toGC=false&launch_id=b1c249ed-1351-4305-9e27-a7abab84d8f8&link_id=_54925451_1&launch_time=1612464381020' [Thu Feb 04 14:00:25.215121 2021] WeBWorK::dispatch: tool_consumer_info_version => '3800.0.7-rel.16+bf839b4' [Thu Feb 04 14:00:25.215144 2021] WeBWorK::dispatch: context_id => '242fa12435f24913886de98475876420' [Thu Feb 04 14:00:25.215168 2021] WeBWorK::dispatch: oauth_signature => 'oUJROHckKcZsNbmU/YLbS2fkVWk=' [Thu Feb 04 14:00:25.215192 2021] WeBWorK::dispatch: context_label => 'QCC01_MA_119_F24_1212_1' [Thu Feb 04 14:00:25.215215 2021] WeBWorK::dispatch: tool_consumer_info_product_family_code => 'BlackboardLearn' [Thu Feb 04 14:00:25.215239 2021] WeBWorK::dispatch: oauth_timestamp => '1612464381' [Thu Feb 04 14:00:25.215262 2021] WeBWorK::dispatch: launch_presentation_document_target => 'window' [Thu Feb 04 14:00:25.215286 2021] WeBWorK::dispatch: resource_link_title => 'HW Intro to WeBWorK' [Thu Feb 04 14:00:25.215309 2021] WeBWorK::dispatch: tool_consumer_instance_contact_email => 'bbsupport@cuny.edu' [Thu Feb 04 14:00:25.215333 2021] WeBWorK::dispatch: --------------------------------------------- [Thu Feb 04 14:00:25.215367 2021] WeBWorK::dispatch: We need to get a course environment (with or without a courseID!) [Thu Feb 04 14:00:25.220954 2021] WeBWorK::dispatch: Here's the course environment: WeBWorK::CourseEnvironment=HASH(0x55bb6bce3898) [Thu Feb 04 14:00:25.221330 2021] WeBWorK::dispatch: Using user_authen_module WeBWorK::Authen::LTIAdvanced: WeBWorK::Authen::LTIAdvanced=HASH(0x55bb6bdc20b8) [Thu Feb 04 14:00:25.221388 2021] WeBWorK::dispatch: We got a courseID from the URLPath, now we can do some stuff: [Thu Feb 04 14:00:25.221420 2021] WeBWorK::dispatch: ...we can create a database object... [Thu Feb 04 14:00:25.227112 2021] WeBWorK::dispatch: (here's the DB handle: WeBWorK::DB=HASH(0x55bb6bd398e8)) [Thu Feb 04 14:00:25.227194 2021] WeBWorK::Authen::verify: BEGIN VERIFY [Thu Feb 04 14:00:25.227230 2021] WeBWorK::Authen::LTIAdvanced::request_has_data_for_this_verification_module: LTIAdvanced has been called for data verification [Thu Feb 04 14:00:25.227271 2021] WeBWorK::Authen::LTIAdvanced::request_has_data_for_this_verification_module: LTIAdvanced returning that it has sufficient data [Thu Feb 04 14:00:25.227316 2021] WeBWorK::Authen::do_verify: db ok [Thu Feb 04 14:00:25.227344 2021] WeBWorK::Authen::LTIAdvanced::get_credentials: LTIAdvanced::get_credentials has been called [Thu Feb 04 14:00:25.227415 2021] WeBWorK::Authen::LTIAdvanced::get_credentials: LTIAdvanced::get_credentials is returning a 1 [Thu Feb 04 14:00:25.227442 2021] WeBWorK::Authen::do_verify: credentials ok [Thu Feb 04 14:00:25.227473 2021] WeBWorK::Authen::LTIAdvanced::check_user: LTIAdvanced::check_user has been called for user_id = |xxxxxxxxxx| [Thu Feb 04 14:00:25.228633 2021] WeBWorK::Authen::LTIAdvanced::check_user: LTIAdvanced::check_user is about to return a 1. [Thu Feb 04 14:00:25.228706 2021] WeBWorK::Authen::do_verify: check user ok [Thu Feb 04 14:00:25.228751 2021] WeBWorK::Authen::LTIAdvanced::verify_normal_user: LTIAdvanced::verify_normal_user called for user |xxxxxxxx| [Thu Feb 04 14:00:25.229102 2021] WeBWorK::Authen::LTIAdvanced::verify_normal_user: sessionExists='1' keyMatches='' timestampValid='' [Thu Feb 04 14:00:25.229166 2021] WeBWorK::Authen::LTIAdvanced::authenticate: LTIAdvanced::authenticate called for user |xxxxxxxxxx| [Thu Feb 04 14:00:25.229195 2021] WeBWorK::Authen::LTIAdvanced::authenticate: ref(r) = |WeBWorK::Request| [Thu Feb 04 14:00:25.229220 2021] WeBWorK::Authen::LTIAdvanced::authenticate: ref of r->{paramcache} = |HASH| [Thu Feb 04 14:00:25.229248 2021] WeBWorK::Authen::LTIAdvanced::authenticate: Nonce = |3414564115058802| [Thu Feb 04 14:00:25.229567 2021] WeBWorK::Authen::LTIAdvanced::authenticate: Failed to verify nonce [Thu Feb 04 14:00:25.229628 2021] WeBWorK::Authen::LTIAdvanced::verify_normal_user: auth_result=|0| [Thu Feb 04 14:00:25.229763 2021] WeBWorK::Authen::write_log_entry: Writing to login log: 'LOGIN FAILED xxxxxxxx - authentication failed: 0 user_id=xxxxxxx login_type=normal credential_source=LTIAdvanced host=100.2.88.126 port=63526 UA=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36 Edg/88.0.705.56'. [Thu Feb 04 14:00:25.230070 2021] WeBWorK::Authen::verify: END VERIFY [Thu Feb 04 14:00:25.230105 2021] WeBWorK::Authen::verify: result 0 [Thu Feb 04 14:00:25.230142 2021] WeBWorK::dispatch: Bad news: authentication failed! [Thu Feb 04 14:00:25.230168 2021] WeBWorK::dispatch: set displayModule to WeBWorK::ContentGenerator::Login [Thu Feb 04 14:00:25.230192 2021] WeBWorK::dispatch: -------------------------------------------------------------------------------- [Thu Feb 04 14:00:25.230214 2021] WeBWorK::dispatch: Finally, we'll load the display module... [Thu Feb 04 14:00:25.230289 2021] WeBWorK::dispatch: ...instantiate it... [Thu Feb 04 14:00:25.230336 2021] WeBWorK::dispatch: ...and call it: [Thu Feb 04 14:00:25.230361 2021] WeBWorK::dispatch: -------------------- call to WeBWorK::ContentGenerator::Login::go [Thu Feb 04 14:00:25.233233 2021] WeBWorK::dispatch: -------------------- call to WeBWorK::ContentGenerator::Login::go [Thu Feb 04 14:00:25.233422 2021] WeBWorK::dispatch: returning result: 0 [Thu Feb 04 14:00:25.393891 2021] WeBWorK::dispatch: In reply to Bianca Sosnovski ### Re: LTI authentication failed through Blackboard by Nathan Wallach - The "Failed to verify nonce" error log message is triggered in webwork2/lib/WeBWorK/Authen/LTIAdvanced.pm when the test if (!($nonce->ok ) ) comes out true, namely when there is a detection of a reuse of the nonce.

There are some similar reports for other systems with BlackBoard's LTI:

I took a look at the code which checks if nonces are valid, and it seems to me not to be correct. I think that (a) the purge code should run more often (otherwise old nonces can stay around in the database for almost double as long as they were intended to and (b) I think any nonce reuse should trigger a reject, while at present based on time-stamps, some (probably most) are not rejected - which may be why the issue of (a) did not cause greater problems.

### Re: LTI authentication failed through Blackboard

by Bianca Sosnovski -

Nathan,

This is fantastic! Thank you  for providing yet another modified file to debug the timestamp.

I contacted our university's Blackboard people. I hope we will hear from them soon. Collecting the info with your modified file certainly helps to figure out the issue.

Our Webwork is running NTP:

root@webwork:~# timedatectl

Local time: Mon 2021-02-15 13:38:58 EST

Universal time: Mon 2021-02-15 18:38:58 UTC

RTC time: Mon 2021-02-15 18:38:58

Time zone: America/New_York (EST, -0500)

System clock synchronized: yes

NTP service: active

RTC in local TZ: no

I will keep you posted of what is going on.

Thank you gain.

### Re: LTI authentication failed through Blackboard

by Bianca Sosnovski -
This is just an update on the issue we had with the authentication failure via Blackboard.

I contacted our University IT for Blackboard and they said they would take a look at the issue.
Couple of weeks after that, I noticed that complains about the issue stopped. I haven't changed anything in the system to resolve the issue since my last post. But I'm happy that people stopped reporting the authentication failure.

Checking the debug file, I still see some occasional occurrence of "authentication failed" but the difference is that students now are able to login right away after it happens (within few seconds). Before it would take long periods of time, sometimes a couple of days for them to be able to login again.

By the way, I hadn't seen any timestamp info (from the patch in LTIAdvanced.pm above) if different between the servers are more than 5 secs appears in the debug that associated with an instance "authentication failed".

It may be that the issue was resolved by a change in the Blackboard system. I'm just not aware if any modification was done in Blackboard 🤷‍♀️.
I will ask the IT if they ever did anything directly related to the issue with Blackboard.

Thank you for all the help.