Thursday, March 27, 2014

Week 9: Blazing the Trail....that was already tread

Ultimately we were not able to make any progress with the libraries.  It is time to admit defeat. We decided instead to implement our own version of a "library" just to deal with simple verification of a base string of variables sent from Canvas.  This was something that everyone else on the Internet forums seemed to be doing, but we thought that was the "hard way." Lesson 1 learned.

We found some helpful files already written here but, being the total newb that I am, didn't know how to mount those files onto our local server.  Lesson 2 learned: ask the mentor before posting stupid questions on the Internet....

In order to check given signatures, I wrote some simple code in Java to complete the following steps in creating and verifying an OAuth signature:

The 4 Steps to Generating an OAuth Signature

1. Collect all request parameters:

All parameters related to OAuth which start with oauth_ except for
oauth_signature should be collected. If parameters are used in the POST
body, they also should be collected. For us, this means we need all the
LTI parameters, e.g. lti_message_type, user_id, etc.

2. Normalize the parameters:

First, sort all parameters in alphabetical order and apply URL encoding
(rfc3986) to each key and value. Second, list the results of the URL
encoding in <key>=<value> format, and insert "&" between each pair.
Finally, apply URL encoding to the entire result.

NOTE: URL encoding is also called percent-encoding. Long story short, it
involves replacing certain non-ASCII characters with escape sequences
which begin with a percent symbol. For example, the ampersand "&" is
replaced with the escape code "%26". Check out the wikipedia entry for
more information:

http://en.wikipedia.org/wiki/Percent-encoding

3. Create a Signature Base String:

Combine the HTTP method name (GET or POST), the HTTP URL address called by
the Consumer (except for parameters), and the normalized parameter by
using "&". The combination becomes "[GET|POST] + & + [URL string except
for parameters] + & + [Normalized Parameter]".

4. Generate a Key

Encrypt the string generated at stage 3 using the Consumer Secret Key.
This Consumer Secret Key is obtained when the Consumer has registered in
Service Provider. Using the encryption method such as HMAC-SHA1, generate
the final oauth_signature.

That's it!

 The code currently just reads from a file of parameters and encrypts them.  Our step is to us HMAC-SHA1 to generate the final signature and validate it. 

We also discovered that linking our Canvas server (http://0.0.0.0:3000/) was generating an error message, not a proper list of parameters (so we were cheating).  Instead to properly pass through the modules, we need to have a working app on our local server that processes the data in a logical way.

Goals for next week:
  1. Get local server running
  2. Construct app to process parameters from Canvas
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)