WeBWorK Main Forum

The "duplicate nonce" error is back

The "duplicate nonce" error is back

by Larry Riddle -
Number of replies: 8

I recently updated our WeBWorK server to 2.16 and I am now testing the LTI connection from Canvas to WeBWorK. When I click on an assignment in Canvas (set up in homework GradeMode), I am taken to the homework set fine. I click on a problem, answer one of the questions, click  grade, and the grade is reported to be successfully sent back to the LMS. But then if I answer another question in that same problem and click grade, this time I am told that the grade is NOT successfully sent back to the LMS. And subsequent grading also is not successfully sent back. But it seems that if I wait a sufficient amount of time and come back to the problem set via Canvas, then the first grade attempt will be successfully sent back again.

Below is the LTI debugging report. Halfway down there is a "duplicate nonce detected" error message. I know this is not because of the timing issue that I reported last year because the new debugging code added to 2.16 reports that the difference between the server time and the oauth_nonce is always less than 5 seconds in the various tests I've done.

Any suggestions on what might be causing this and how to resolve it?

  • submitting grade for user: testuser1 set Optimization 
  • Submitting grade using sourcedid: 93-65-8585-481-43a1090ab9cbf3de4f6e28f8ebcaaf68be8bf449 and score: 0.06
  • The request was:
  • _uri https://agnesscott.instructure.com/api/lti/v1/tools/93/grade_passback _headers HTTP::Headers=HASH(0x560407868618) _uri_canonical https://agnesscott.instructure.com/api/lti/v1/tools/93/grade_passback _content <?xml version = "1.0" encoding = "UTF-8"?>
  • <imsx_POXEnvelopeRequest xmlns = "http://www.imsglobal.org/services/ltiv1p1/xsd/imsoms_v1p0">
  • <imsx_POXHeader>
  • <imsx_POXRequestHeaderInfo>
  • <imsx_version>V1.0</imsx_version>
  • <imsx_messageIdentifier>999999123</imsx_messageIdentifier>
  • </imsx_POXRequestHeaderInfo>
  • </imsx_POXHeader>
  • <imsx_POXBody>
  • <replaceResultRequest>
  • <resultRecord>
  • <sourcedGUID>
  • <sourcedId>93-65-8585-481-43a1090ab9cbf3de4f6e28f8ebcaaf68be8bf449</sourcedId>
  • </sourcedGUID>
  • <result>
  • <resultScore>
  • <language>en</language>
  • <textString>0.06</textString>
  • </resultScore>
  • </result>
  • </resultRecord>
  • </replaceResultRequest>
  • </imsx_POXBody>
  • </imsx_POXEnvelopeRequest> _method POST at /opt/webwork/webwork2/lib/WeBWorK/Authen/LTIAdvanced/SubmitGrade.pm line 472.
  • The nonce used is 378d6709-33ac-58a2-83a0-7a6e48d5bc64__-step2
  • The response is:
  • _headers HTTP::Headers=HASH(0x560407bd61b8) _protocol HTTP/1.1 _content {"errors":[{"message":"Duplicate nonce detected"}]} _request HTTP::Request=HASH(0x560407868288) _rc 401 _msg Unauthorized at /opt/webwork/webwork2/lib/WeBWorK/Authen/LTIAdvanced/SubmitGrade.pm line 474.
  • The request was:
  • _uri https://agnesscott.instructure.com/api/lti/v1/tools/93/grade_passback _headers HTTP::Headers=HASH(0x560407868618) _uri_canonical https://agnesscott.instructure.com/api/lti/v1/tools/93/grade_passback _content <?xml version = "1.0" encoding = "UTF-8"?>
  • <imsx_POXEnvelopeRequest xmlns = "http://www.imsglobal.org/services/ltiv1p1/xsd/imsoms_v1p0">
  • <imsx_POXHeader>
  • <imsx_POXRequestHeaderInfo>
  • <imsx_version>V1.0</imsx_version>
  • <imsx_messageIdentifier>999999123</imsx_messageIdentifier>
  • </imsx_POXRequestHeaderInfo>
  • </imsx_POXHeader>
  • <imsx_POXBody>
  • <replaceResultRequest>
  • <resultRecord>
  • <sourcedGUID>
  • <sourcedId>93-65-8585-481-43a1090ab9cbf3de4f6e28f8ebcaaf68be8bf449</sourcedId>
  • </sourcedGUID>
  • <result>
  • <resultScore>
  • <language>en</language>
  • <textString>0.06</textString>
  • </resultScore>
  • </result>
  • </resultRecord>
  • </replaceResultRequest>
  • </imsx_POXBody>
  • </imsx_POXEnvelopeRequest> _method POST at /opt/webwork/webwork2/lib/WeBWorK/Authen/LTIAdvanced/SubmitGrade.pm line 475.


In reply to Larry Riddle

Re: The "duplicate nonce" error is back

by Alex Jordan -
I have seen it just as you describe with two Canvas using schools using Runestone to host. My suspicion is that when it succeeds on that first attempt, it is really the mass update interval submission that is succeeding.

This issue:
https://github.com/openwebwork/webwork2/issues/1453
starts out as something else that may or may not be related. But the thread moves on into this topic.

In reply to Larry Riddle

Re: The "duplicate nonce" error is back

by Larry Riddle -

I've attached some debugging files if that helps. The first will be the debugging info upon authentication.

In reply to Larry Riddle

Re: The "duplicate nonce" error is back

by Larry Riddle -
This file is the debug_lti_grade_passback info after the FIRST grade attempt when passback is successful
In reply to Larry Riddle

Re: The "duplicate nonce" error is back

by Larry Riddle -
This file is the debug_lti_grade_passback info after the SECOND grade attempt when passback is NOT successful. Notice that the second grade attempt was within a minute of the first attempt.
In reply to Larry Riddle

Re: The "duplicate nonce" error is back

by Nathan Wallach -

Thanks for posting the debug files. They are making it very clear that what the problem is.

In the Debug files there are 3 lines which report The nonce used is 956d3c2c-8c18-579d-9efd-8e17e8ce44a5__-step2

The line $uuid_p2 = create_uuid_as_string(UUID_TIME); is not being run to create the time based portion of the nonce, and that is leading to the the same nonce being reused.

The bug was that that line was only being run when $lti_check_prior was true due to this line being incorrectly moved inside a conditional block. (My fault, but it was not picked up during the testing done.)

I think the change in https://github.com/openwebwork/webwork2/pull/1464 should fix the issue. Installing just the revised file from https://raw.githubusercontent.com/openwebwork/webwork2/f835b7538c86c255cf26df2c62611a018495e8ca/lib/WeBWorK/Authen/LTIAdvanced/SubmitGrade.pm should suffice.

In reply to Nathan Wallach

Re: The "duplicate nonce" error is back

by Larry Riddle -
That change worked for me!! (I did have to restart Apache to get it to work.)

I tried grading the same problem several times and each time the grade was reported as being successfully sent to the RMS. The final attempt was with the correct answer and I verified that the Canvas gradebook did show full credit for that problem.

Thanks for the quick fix!
In reply to Larry Riddle

Re: The "duplicate nonce" error is back

by Nathan Wallach -

Your welcome. Your debug files you provided really helped - as I could see the same nonce being reused, and could see what part of the expected nonce was missing. Once I saw that, I could look for the bug, and after first looking for some other cause - carefully checked when the critical line was being run, and found it.

I'm sorry that the bug made it into the release - it is a pretty dumb mistake. Apparently too much of my testing of the final version of the file was with the $lti_check_prior=1 setting which avoided the bug having any impact. Much of the testing was done with the somewhat older version of the file (before  $lti_check_prior was added) and did not have the bug, which apparently led me doing insufficient testing of the final version which made it into the release. Simple tests of a single grade being sent to the LMS with  $lti_check_prior=0 would not hit the issue.

I hope the hotfix will soon be merged, so that people installing WeBWorK 2.16 after that will avoid getting bitten by the bug

In reply to Nathan Wallach

Re: The "duplicate nonce" error is back

by tim Payer -

Thank you Nathan for finding and fixing the "Duplicate nonce" bug.

The effect was immediate and the grade pass-back to Canvas works great now.

Tim