WeBWorK Main Forum

Canvas LTI 1.3 authentification issue

Canvas LTI 1.3 authentification issue

by Wai Yan Pong -
Number of replies: 21

We are trying to integrate WebWork with our campus Canvas but run into problems.

Here are some info: Canvas' LTI 1.3, WebWork version 2.18

We follow the instructions on https://webwork.maa.org/wiki/LTI_Authentication_(for_WeBWorK_2.18_or_newer)

WebWork is added to the Externel Apps on Canvas and we modified the webwork config files accordingly. 

A new assignment called "LTI Test" is created in an existing Canvas Course and pointed to an existing webwork course

https://math.csudh.edu/webwork2/24Summer_MAT132_Pong/

Clicking the created link in Canvas brings us to 

https://math.csudh.edu/webwork2/ltiadvantage/login

with error messages from webwork2/logs

[2024-06-12 08:04:08.04346] [20607] [warn] [X2ASJI2hIuZe] [/webwork2/ltiadvantage/login] The LTI Advantage

login route was accessed with invalid or missing parameters.

Where did we go wrong? Perhaps, we simply don't understand how the creation of assignments and login mechanism. 

Please help.

In reply to Wai Yan Pong

Re: Canvas LTI 1.3 authentification issue

by Wai Yan Pong -
I would like to provide more details:
We create a new webwork course and a new Canvas course for testing. When accessing the WebWork course from Canvas
we get this error message: (see attachment)
  • The LTI Advantage login route was accessed with invalid or missing parameters.
when going to the URL : https://math.csudh.edu/webwork2/ltiadvantage/login 
directly from a browser, we get the error message:

This course does not exist.

The setting in authen_LTI_1_3.conf is:

$LTI{v1p3}{PlatformID}      = 'https://csudh.instructure.com';
(Client ID and Deployment ID are taken out here)
$LTI{v1p3}{PublicKeysetURL} = 'https://csudh.instructure.com/api/lti/security/jwks';
$LTI{v1p3}{AccessTokenURL}  = 'https://csudh.instructure.com/login/oauth2/token';
$LTI{v1p3}{AccessTokenAUD}  = 'https://csudh.instructure.com/login/oauth2/token';
$LTI{v1p3}{AuthReqURL}      = 'https://csudh.instructure.com/api/lti/authorize_redirect';

It would be great if someone who have successfully integrated canvas LTI 1.3 with WebWork can give us some pointers. Thanks
Attachment LTI-error.png
In reply to Wai Yan Pong

Re: Canvas LTI 1.3 authentification issue

by Glenn Rice -

The first thing to do is to set "$debug_lti_parameters = 1;" in /opt/webwork/webwork2/conf/authen_LTI.conf.  Then watch the /opt/webwork/webwork2/logs/webwork2.log file when you attempt to sign in via LTI.  That will give you more information.

If you try to go to https://math.csudh.edu/webwork2/ltiadvantage/login in the browser, it will not work.  That route is not intended for direct browser usage.

If you get the message "The LTI Advantage login route was accessed with invalid or missing parameters." then either the $LTI{v1p3}{PlatformID} or the $LTI{v1p3}{ClientID} is incorrect in conf/authen_LTI_1_3.conf, or the LMS is not sending the right thing.  If you have "$debug_lti_parameters = 1;" then the parameters sent by the LMS will be shown in the log.  The "iss" parameter sent by the LMS should be the same as the PlatformID you have set, and the "client_id" sent by the LMS should match the ClientID.

In reply to Glenn Rice

Re: Canvas LTI 1.3 authentification issue

by Wai Yan Pong -
Glenn,

$debug_lti_parameters was set to 1.

But I couldn't find either the "iss" and "client_id" values that you mentioned in the webwork2.log

The typical error messages look like:

[2024-06-12 15:14:53.45273] [22661] [info] Creating process id file "/run/webwork2/webwork2.pid"

[2024-06-12 15:14:53.45304] [22686] [info] Worker 22686 started

[2024-06-12 15:15:17.95425] [22685] [warn] [1-2TpRss-92I] [/webwork2/ltiadvantage/login] The LTI Advantage login route was accessed with invalid or missing parameters.

[2024-06-12 15:15:46.63068] [22662] [warn] [WMiZWblPTTqS] [/webwork2/ltiadvantage/login] The LTI Advantage login route was accessed with invalid or missing parameters.

[2024-06-12 15:20:33.96425] [22668] [warn] [Jmr90IYjMKbn] [/webwork2/ltiadvantage/login] The LTI Advantage login route was accessed with invalid or missing parameters.

[2024-06-12 15:20:54.45343] [22686] [warn] [WXcOc7JB82tU] [/webwork2/ltiadvantage/login] The LTI Advantage login route was accessed with invalid or missing parameters.

[2024-06-12 15:20:55.77463] [22661] [warn] Stopping worker 22674 immediately

[2024-06-12 15:20:55.77475] [22661] [warn] Stopping worker 22685 immediately

[2024-06-12 15:20:55.77623] [22661] [warn] Stopping worker 22670 immediately

[2024-06-12 15:20:55.78013] [22661] [info] Worker 22674 stopped

However, in the earlier part of the log, I did find

[2024-06-12 14:35:52.29798] [22302] [warn] [tGQBAQgRi8Jz] [/webwork2/ltiadvantage/login] The LTI Advantage login route was accessed with the appropriate parameters.

[2024-06-12 14:39:14.67747] [22302] [warn] [VFofusfq2hj4] [/webwork2/ltiadvantage/login] The LTI Advantage login route was accessed with the appropriate parameters.

[2024-06-12 14:39:59.11805] [22301] [warn] [F3tDR3GUkpOG] [/webwork2/ltiadvantage/login] The LTI Advantage login route was accessed with the appropriate parameters.

But I don't recall ever successfully login to WebWork via Canvas. And don't recall what I did differently.

The webwork roster does not have any user except the admin account. So I expect when attempted access the HW set via Canvas, a new user will be created in the WebWork course. 

Also, the url given in the Canvas assignment is 

https://math.csudh.edu/webwork2/Canvas_Integration 

or should it be 

https://math.csudh.edu/webwork2/Canvas_Integration/HW_01 

?

Hopefully, you understand the puzzle and can help us to solve it. Thanks.

In reply to Wai Yan Pong

Re: Canvas LTI 1.3 authentification issue

by Thomas Mullaly -
Is the iss correct? iss => "https://canvas.instructure.com"

[Mon Jul 22 16:48:09.146010 2024] (eval): Hi, I'm the new dispatcher!
[Mon Jul 22 16:48:09.147196 2024] (eval): --------------------------------------------------------------------------------
[Mon Jul 22 16:48:09.147818 2024] (eval): Okay, I got some basic information:
[Mon Jul 22 16:48:09.148039 2024] (eval): The site location is /webwork2
[Mon Jul 22 16:48:09.148360 2024] (eval): The request method is POST
[Mon Jul 22 16:48:09.149247 2024] (eval): The URI is /webwork2/ltiadvantage/login
[Mon Jul 22 16:48:09.149413 2024] (eval): The argument string is iss=https%3A%2F%2Fcanvas.instructure.com&login_hint=babffb4a4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&client_id=xxxxxxxxxxxxxxxxxxxxx&deployment_id=314%3A87xxxxxxxxxxxxxxxxxxxxxxxx776d63&target_link_uri=https%3A%2F%2Fsome.edu%2Fwebwork2%2FMATH_345-02B_Lert_Su24&lti_message_hint=eyJ0eXAiOiJKV1xxxxxxxxx2ZXJpZmllciI6ImIxNjc3NmYzYWFmYzU0NWExZGIxZWFlNDVjZTA2OTZkNTc2OWUyMWQyZGQxNjg2NTYwMTY5ZTRmYzIxZjRjxxxxxxxxxxxTExODgyYWY3MTUzZmMyNGZkNTE2MWJjMTE0MTg5NThiY2Y2YTNmNmZjYmRjIiwiY2FudmFzX2RvbWFpbiI6InVtYXNzYm9zdG9uLmluc3RydWN0dXJlLxxxxxxxxxxxxxxxxvdXJzZSIsImNvbnRleHRfaWQiOjIzNzgzMDAwMDAwMDAwMDkxNSwiY2FudmFzX2xvY2FsZSI6ImVuIiwiaW5jbHVkZV9zdG9yYWdlX3RhcmdldCI6dHJ1ZSwxxxxxxxxxxxxxxR5QftEHzgH5AQ_9txenmudL24Wk79J2MUAY_6M-JDWU&canvas_environment=prod&canvas_region=us-east-1&lti_storage_target=post_message_forwarding
[Mon Jul 22 16:48:09.149604 2024] (eval): --------------------------------------------------------------------------------
[Mon Jul 22 16:48:09.149984 2024] (eval): The path is /ltiadvantage/login/
[Mon Jul 22 16:48:09.150155 2024] (eval): The current route is ltiadvantage_login
[Mon Jul 22 16:48:09.150332 2024] (eval): Here is some information about this route:
[Mon Jul 22 16:48:09.151278 2024] (eval): The display module for this route is WeBWorK::ContentGenerator::LTIAdvantage
[Mon Jul 22 16:48:09.151503 2024] (eval): This route has the following captures:
[Mon Jul 22 16:48:09.151697 2024] (eval): controller => LTIAdvantage
[Mon Jul 22 16:48:09.151861 2024] (eval): courseID => MATH_345-02
[Mon Jul 22 16:48:09.152017 2024] (eval): action => login
[Mon Jul 22 16:48:09.152164 2024] (eval): --------------------------------------------------------------------------------
[Mon Jul 22 16:48:09.152305 2024] (eval): Now we want to look at the parameters we got.
[Mon Jul 22 16:48:09.152486 2024] (eval): The raw params:
[Mon Jul 22 16:48:09.152607 2024] (eval): login_hint => "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[Mon Jul 22 16:48:09.152792 2024] (eval): lti_message_hint => "eyJ0eXAiOiJKV1QiLCJhbGciOxxxxxxxxxxxxxxxxxx6ImIxNjc3NmYzYWFmYzU0NWExZGIxZWFlNDVjZTA2OTZkNTc2OWUyMWQyZGQxNjg2NTYwMTY5ZTRmYzIxZjRjYThiYjc3MmNhZWY4YjJiZjMyxxxxxxxxxxxxxxxxxxxyNGZkNTE2MWJjMTE0MTg5NThiY2Y2YTNmNmZjYmRjIiwiY2FudmFzX2RvbWFpbiI6InVtYXNzYm9zdG9uLmluc3RydWN0dXJlLmNvbSIsImNvxxxxxxxxxxxxxxxxxxxxxxsImNvbnRleHRfaWQiOjIzNzgzMDAwMDAwMDAwMDkxNSwiY2FudmFzX2xvY2FsZSI6ImVuIiwiaW5jbHVkZV9zdG9yYWdlX3RhcmdlxxxxxxxxxxxxxxxxxxxNTg3fQ.R5QftEHzgH5AQ_9txenmudL24Wk79J2MUAY_6M-JDWU"
[Mon Jul 22 16:48:09.152983 2024] (eval): client_id => "xxxxxxxxxxxxxxxxxxxxxxx"
[Mon Jul 22 16:48:09.153142 2024] (eval): canvas_environment => "prod"
[Mon Jul 22 16:48:09.153309 2024] (eval): deployment_id => "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[Mon Jul 22 16:48:09.153481 2024] (eval): lti_storage_target => "post_message_forwarding"
[Mon Jul 22 16:48:09.153632 2024] (eval): iss => "https://canvas.instructure.com"
[Mon Jul 22 16:48:09.153782 2024] (eval): canvas_region => "us-east-1"
[Mon Jul 22 16:48:09.153951 2024] (eval): target_link_uri => "https://xxxxxxxxxxxx.edu/webwork2/MATH_x02B"
[Mon Jul 22 16:48:09.154030 2024] (eval): --------------------------------------------------------------------------------
[Mon Jul 22 16:48:09.154088 2024] (eval): We need to get a course environment (with or without a courseID!)
[Mon Jul 22 16:48:09.165188 2024] (eval): Here's the course environment: WeBWorK::CourseEnvironment=HASH(0x555e9298fb98)
[Mon Jul 22 16:48:09.215802 2024] (eval): Using user_authen_module WeBWorK::Authen::LTIAdvantage: WeBWorK::Authen::LTIAdvantage=HASH(0x555e92aaa8e8)
[Mon Jul 22 16:48:09.215984 2024] (eval): We got a courseID from the route, now we can do some stuff:
[Mon Jul 22 16:48:09.216066 2024] (eval): ...we can create a database object...
[Mon Jul 22 16:48:09.262431 2024] (eval): (here's the DB handle: WeBWorK::DB=HASH(0x555e8d640f20))
[Mon Jul 22 16:48:09.262832 2024] WeBWorK::Authen::LTIAdvantage::verify: The LTI Advantage login route was accessed with invalid or missing parameters.
[Mon Jul 22 16:48:09.262960 2024] (eval): Bad news: authentication failed!
[Mon Jul 22 16:48:09.263035 2024] (eval): Rendering WeBWorK::ContentGenerator::Login
In reply to Thomas Mullaly

Re: Canvas LTI 1.3 authentification issue

by Glenn Rice -

The iss (or PlatformID) may need to be your institution's canvas url.  That would be something like https://yourinstitution.instructure.com.

In reply to Glenn Rice

Re: Canvas LTI 1.3 authentification issue

by Peter Lert -
Hi Glenn et al. I'm working with Tom Mullaly (see above: https://webwork.maa.org/moodle/mod/forum/discuss.php?d=8513#p21288).
I only recently discovered that Canvas is an open source system available in Github. Included is some discussion of the use of the issuer parameter lti_iss, which evidently defaults to 'https://canvas.instructure.com' and is not changed for many installations of Canvas. As discussed, here: https://github.com/instructure/canvas-lms/issues/1935 this issue may create problems with LTI 1.3. However, this may be a Canvas feature, not a bug, and changing it in Canvas may impact other apps, as noted here: https://github.com/instructure/canvas-lms/issues/2331.

Are there any successful Canvas/WWv2.18 LTI 1.3 integrations that can share the relevant details of their configurations, on both systems?

Thanks again for all your massive contributions.
In reply to Peter Lert

Re: Canvas LTI 1.3 authentification issue

by Peter Lert -
More on the Canvas LTI 1.3 story linking to WebWork version 2.18:

Indeed it appears that Canvas has coded a solution around the use of the default value for iss='https://canvas.instructure.com', in the common case that schools do not set up iss='https://myschool.instructure.com'. The Canvas repo in Github includes the following in 'canvas-lms/app/controllers/lti/ims/authentication_controller.rb':
# Redirect the "authorize" action for the domain specified
# in the lti_message_hint
#
# This means that tools can simply use the canvas.instructure.com
# domain in the authentication requests rather than keeping
# track of institution-specific domain.
def authorize_redirect
Utils::InstStatsdUtils::Timing.track "lti.authorize_redirect" do
redirect_to authorize_redirect_url
end
end
The GitHub file 'canvas-lms/spec/controllers/lti/ims/authentication_controller_spec.rb' indicates that in either of 2 contexts:
* when the developer key redirect uri contains a query string, or
* when the developer key redirect uri does not match [the value passed for the redirect_uri argument]
then Canvas will fail to authorize with an "Invalid redirect_uri" message. (I am not familiar with Ruby, so there may be other details that I am not seeing.) That's the error I am getting now. Here are the details:

Parameter settings in webwork2/conf/authen_LTI_1_3.conf:
$LTI{v1p3}{PlatformID} = 'https://canvas.instructure.com';
$LTI{v1p3}{ClientID} = '23xxx23';
$LTI{v1p3}{DeploymentID} = '31xxx63';
$LTI{v1p3}{PublicKeysetURL} = 'https://myuniv.instructure.com/api/lti/security/jwks';
$LTI{v1p3}{AccessTokenURL} = 'https://myuniv.instructure.com/login/oauth2/token';
$LTI{v1p3}{AccessTokenAUD} = 'https://myuniv.instructure.com/login/oauth2/token';
$LTI{v1p3}{AuthReqURL} = 'https://myuniv.instructure.com/api/lti/authorize_redirect';

Settings in Canvas Developer Key:
Redirect URIs = 'https://webwork.myuniv.edu/webwork2/ltiadvantage/launch'
Target Link URI = 'https://webwork.myuniv.edu/webwork2'
OpenID Connect Initiation Url = 'https://webwork.myuniv.edu/webwork2/ltiadvantage/login'
JWK Method = 'Public JWK URL'
Public JWK URL = 'https://webwork.myuniv.edu/webwork2/ltiadvantage/keys'
LTI Advantage Services All Selected
Additional Settings:
Domain = 'https://webwork.myuniv.edu'
Privacy level = Public
Placements:
Assignment Selection
Target Link URI Select Message Type LtiResourceLinkRequest

webwork2 debug.log:
===> Begin WeBWorK::dispatch() <===

[Tue Jul 23 18:19:29.970766 2024] (eval): Hi, I'm the new dispatcher!
[Tue Jul 23 18:19:29.971019 2024] (eval): --------------------------------------------------------------------------------
[Tue Jul 23 18:19:29.971205 2024] (eval): Okay, I got some basic information:
[Tue Jul 23 18:19:29.971397 2024] (eval): The site location is /webwork2
[Tue Jul 23 18:19:29.971581 2024] (eval): The request method is POST
[Tue Jul 23 18:19:29.971922 2024] (eval): The URI is /webwork2/ltiadvantage/login
[Tue Jul 23 18:19:29.972122 2024] (eval): The argument string is iss=https%3A%2F%2Fcanvas.instructure.com&login_hint=01xxx12&client_id=23xxx23&deployment_id=31xxx63&target_link_uri=https%3A%2F%2Fwebwork.myuniv.edu%2Fwebwork2%2FMATH_321&lti_message_hint=eyJxxxXoo&canvas_environment=prod&canvas_region=us-east-1&lti_storage_target=post_message_forwarding
[Tue Jul 23 18:19:29.972295 2024] (eval): --------------------------------------------------------------------------------
[Tue Jul 23 18:19:29.972570 2024] (eval): The path is /ltiadvantage/login/
[Tue Jul 23 18:19:29.972777 2024] (eval): The current route is ltiadvantage_login
[Tue Jul 23 18:19:29.972942 2024] (eval): Here is some information about this route:
[Tue Jul 23 18:19:29.973596 2024] (eval): The display module for this route is WeBWorK::ContentGenerator::LTIAdvantage
[Tue Jul 23 18:19:29.973804 2024] (eval): This route has the following captures:
[Tue Jul 23 18:19:29.974029 2024] (eval): action => login
[Tue Jul 23 18:19:29.974197 2024] (eval): controller => LTIAdvantage
[Tue Jul 23 18:19:29.974361 2024] (eval): courseID => MATH_321
[Tue Jul 23 18:19:29.974550 2024] (eval): --------------------------------------------------------------------------------
[Tue Jul 23 18:19:29.974713 2024] (eval): Now we want to look at the parameters we got.
[Tue Jul 23 18:19:29.974898 2024] (eval): The raw params:
[Tue Jul 23 18:19:29.975107 2024] (eval): login_hint => "01xxx12"
[Tue Jul 23 18:19:29.975289 2024] (eval): client_id => "23xxx23"
[Tue Jul 23 18:19:29.975469 2024] (eval): target_link_uri => "https://webwork.myuniv.edu/webwork2/MATH_321"
[Tue Jul 23 18:19:29.975646 2024] (eval): deployment_id => "31xxx63"
[Tue Jul 23 18:19:29.975838 2024] (eval): lti_storage_target => "post_message_forwarding"
[Tue Jul 23 18:19:29.976013 2024] (eval): canvas_region => "us-east-1"
[Tue Jul 23 18:19:29.976128 2024] (eval): iss => "https://canvas.instructure.com"
[Tue Jul 23 18:19:29.976199 2024] (eval): lti_message_hint => "eyJxxxwc8"
[Tue Jul 23 18:19:29.976280 2024] (eval): canvas_environment => "prod"
[Tue Jul 23 18:19:29.976348 2024] (eval): --------------------------------------------------------------------------------
[Tue Jul 23 18:19:29.976414 2024] (eval): We need to get a course environment (with or without a courseID!)
[Tue Jul 23 18:19:29.986535 2024] (eval): Here's the course environment: WeBWorK::CourseEnvironment=HASH(0x55XXXf0)
[Tue Jul 23 18:19:29.987044 2024] (eval): Using user_authen_module WeBWorK::Authen::LTIAdvantage: WeBWorK::Authen::LTIAdvantage=HASH(0x55XXX08)
[Tue Jul 23 18:19:29.987162 2024] (eval): We got a courseID from the route, now we can do some stuff:
[Tue Jul 23 18:19:29.987233 2024] (eval): ...we can create a database object...
[Tue Jul 23 18:19:29.994696 2024] (eval): (here's the DB handle: WeBWorK::DB=HASH(0x55XXX88))
[Tue Jul 23 18:19:29.995016 2024] WeBWorK::Authen::LTIAdvantage::verify: The LTI Advantage login route was accessed with the appropriate parameters.
===> end of log <===

In a Canvas course I used the WebWork LTI 1.3 tool installed with the Developer Key above to create and save a Canvas Assignment linked to a WebWork version 2.18 course MATH_321. When this assignment is selected Canvas responds with a button to "Load MATH_321 in a new window". However when that link is selected the result in Canvas is:
{"status":"bad_request","message":"Invalid redirect_uri"}
and the address box for the browser window with that error message shows the following (with redactions):
'https://myuniv.instructure.com/api/lti/authorize?client_id=23xxx23&login_hint=01xxx12&lti_message_hint=eyJxxxwc8&nonce=415xxxaa0&prompt=none&redirect_uri=http%3A%2F%2Fwebwork.myuniv.edu%2Fwebwork2%2Fltiadvantage%2Flaunch&response_mode=form_post&response_type=id_token&scope=openid&state=01dxxx112%2Cset_id%3AMATH_321%2Cset_id%3Afafxxx141'

The webwork2 debug.log listed above results from this attempt to access WebWork from my Canvas course.

The single anomaly I can spot is that the value provided for the redirect_uri parameter shown in Canvas is:
redirect_uri=http%3A%2F%2Fwebwork.myuniv.edu%2Fwebwork2%2Fltiadvantage%2Flaunch
which is equivalent to:
redirect_uri=http://webwork.myuniv.edu/webwork2/ltiadvantage/launch
This value for the redirect_uri argument in Canvas differs from the value given in the Developer Key for Redirect URIs in that it substitutes 'http' for 'https'. Any idea where that change occurs, or why?

More importantly, and idea on how to fix this?

Again, if anyone can share the details of their successful Canvas/WebWork v2.18 LTI 1.3 configuration details (appropriately redacted) we will greatly appreciate it.
In reply to Peter Lert

Re: Canvas LTI 1.3 authentification issue

by Glenn Rice -

As I said, the PlatformID "may" need to be the institution specific instructure URL ... but maybe not.  I know that in testing with the docker build of Canvas from Github I needed to specifically use "https://canvas.instructure.com".  I haven't tested on a production instance of Canvas though.

The change from "https" to "http" is happening on line 159 of lib/WeBWorK/ContentGenerator/LTIAdvantage.pm.  You don't have your webwork2 server configured correctly to serve with SSL. How are you serving webwork?  Are you serving directly via hypnotoad, or are you proxying via another server (like apache2)?

In reply to Glenn Rice

Re: Canvas LTI 1.3 authentification issue

by Thomas Mullaly -
We use nginx as a web proxy on a separate server for a number of internal web sites and applications, including our production webwork 2.16 server.

Our webwork 2.18 server is also behind this same web proxy. I didn't bother using a local proxy on the webwork server itself for this server, hypnotoad is listening to the external interface and the web proxy talks to it on the local subnet. The web proxy has the ssl connection to the client, the connection from the web proxy to the hypnotoad app is not encrypted. The firewall rules on the webwork server are set to only allow connections from the web proxy.

thoughts?
-tom
In reply to Thomas Mullaly

Re: Canvas LTI 1.3 authentification issue

by Glenn Rice -
Then the problem is that the proxy is not configured to forward the protocol. So Mojolicious doesn't think that SSL is in use. As such, when url_for is called on line 159 of lib/WeBWorK/ContentGenerator/LTIAdvantage.pm, it gives a URL with http instead of https. You should look at the /opt/webwork/webwork2/conf/webwork2.nginx.dist.conf file. It has the nginx configuration that forwards the protocol in it. That is the line proxy_set_header X-Forwarded-Proto $scheme;.
In reply to Glenn Rice

Re: Canvas LTI 1.3 authentification issue

by Thomas Mullaly -
Thanks, that has fixed the issue. I added this to my nginx config:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
In reply to Peter Lert

Re: Canvas LTI 1.3 authentification issue

by Wai Yan Pong -

Just want to report back that we have some success with Canvas LTI integration (we are using Apache as web server).

Our issue was solved by changing all myuniv.instructure.com (not just the one in $LTI{v1p3}{PlatformID}) to canvas.instructure.com

in the authen_LTI_1_3.conf file.

With those changes, we are able to access WebWork via the HW link created in Canvas. However, we still need to create the WebWork accounts manually first.

Our understanding is that

"$LTIAccountCreationCutoff: WeBWorK will automatically create users when logging in via the LMS for the first time for users with a permission level below what this is set to. This is set to "ta" by default."

Any idea why student accounts are not created automatically?

In reply to Wai Yan Pong

Re: Canvas LTI 1.3 authentification issue

by Alex Jordan -

> Any idea why student accounts are not created automatically?

Just to check something that has come up before:  did you test this with an actual Canvas student account? As opposed to some higher level account that is acting in "student view" or something like that? It won't work while "viewing as a student" or whatever the Canvas term for that is.

If it's not working with actual student accounts, one thing to check is what the actual role name is Canvas for your students, and if it maps to "student" in `$LTI{v1p3}{LMSrolesToWeBWorKroles}` (which is in the `authen_LTI_1_3.conf` file). The LMS roles `student` and `Student` are in there by default, but there could be something different used in a given LMS installation. Your Canvas admins should know the role name for students. With LTI 1.1, the WeBWorK LTI 1.1 debugging would show you what is coming through, but I'm not sure you can do that with 1.3.

In reply to Alex Jordan

Re: Canvas LTI 1.3 authentification issue

by Glenn Rice -

If debug_lti_parameters is set to 1 in authen_LTI.conf, then you will get debugging information for this with LTI 1.3.  However, it will not show up in the browser like it does for LTI 1.1.  Instead it will be in the webwork application log file (/opt/webwork/webwork2/logs/webwork2.log).

In reply to Alex Jordan

Re: Canvas LTI 1.3 authentification issue

by Wai Yan Pong -

We are testing it with our Canvas admin and we do aware that "being student" issue.

It was not clear to me what happened. But when the Canvas admin access the HW with a "true" student email, it works.

We are now testing Grade Passing between Canvas and WebWork, will report back if we are successful. 

In reply to Wai Yan Pong

Re: Canvas LTI 1.3 authentification issue

by Wai Yan Pong -
I am happy to report that Grade Passing essentially work. That is, the grades on Canvas are being updated as the students answer the questions. 

However, we get an error when we try to update the grades "manually" via the LTI Grade Update tab in WebWork. I think the interesting part of the error message is the following:

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 WeBWorK error
An error occured while processing your request.

For help, please send mail to this site's webmaster, including all of the following information as well as what what you were doing when the error occured.

Error record identifier
549f1681-5177-5eb9-ab04-1ba9d8f37a54::31dbc3e8-5523-11ef-8376-9b896ba8681a

Error messages
DBD::SQLite::db do failed: SQL logic error at /usr/share/perl5/Mojo/SQLite.pm line 118.

Context
113: sub _prepare {
114:   my $self = shift;
115: 
116:   # Automatic migrations
117:   ++$self->{migrated} and $self->migrations->migrate
118:     if !$self->{migrated} && $self->auto_migrate;
119: 
120:   my $parent = $self->parent;
121:   return $parent ? $parent->_prepare : $self->_dequeue;
122: }
123: 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

It complaints about line 118 above. 

Any idea of what went wrong? Thanks for taking the time to look into this.

In reply to Wai Yan Pong

Re: Canvas LTI 1.3 authentification issue

by Wai Yan Pong -

I would like to follow up on this issue. 

The LTI integration with Canvas would work flawlessly if we can straighten out this issue:

Error messages
DBD::SQLite::db do failed: SQL logic error at /usr/share/perl5/Mojo/SQLite.pm line 118.

This happens when we try to update the grades "manually" via the LTI Grade Update tab in WebWork.

Sounds like it is a SQL programming issue, anyone has a similar experience when using the LTI Grade Update? 

In reply to Wai Yan Pong

Re: Canvas LTI 1.3 authentification issue

by Glenn Rice -

It sounds like you may have missed a step in the installation.  Did you do what is directed in https://webwork.maa.org/wiki/Installation_Manual_for_2.18_on_Ubuntu#Install_Dependencies?

To check this run "perl -MMojo::SQLite\ 9999".  That should return

Mojo::SQLite version 9999 required--this is only version 3.005.
BEGIN failed--compilation aborted.

where the version will probably be different for you. What version does it show for you?
In reply to Glenn Rice

Re: Canvas LTI 1.3 authentification issue

by Wai Yan Pong -

Hi Glenn, thank you for the reply. Yep, that's exactly the issue. 

I followed the section "Set Up the Webwork2 Job Queue" in the installation file and downgraded MMojo::SQLite to version 3.002

Then LTI grade update works! 

When we upgraded to 2.18, I probably just read the upgrade instructions that's most likely why I missed that session. 

In reply to Wai Yan Pong

Re: Canvas LTI 1.3 authentification issue

by Glenn Rice -

Yeah, the last bullet item in the upgrade instructions just gives the link to the section in the installation instructions and says the step is optional.  I can see how it is easy to miss.