NamesAndRoles does not work on canvas encrypt/decrypt error

[tal32123]

There seems to be an error decrypting when trying to get the namesandroles. My setup is on canvas test website, windows localhost (127.0.0.1) using ltijs client and server. It is embeded ok in the course and navbar of canvas and I get some info on the main ltijs page. However, the other two pages do not work. For the namesandroles I get the following error:

stack:'Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt\n
at Decipheriv.final (internal/crypto/cipher.js:174:29)\n at Database.Decrypt (node_modules\ltijs\dist\Utils\Database.js:431:52)\n
at Database.Get (node_modules\ltijs\dist\Utils\Database.js:285:43)\n
at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at async Platform.platfo…rs\node_modules\ltijs\dist\Utils\Auth.js:318:37) \n at async Platform.platformAccessToken (\node_modules\ltijs\dist\Utils\Platform.js:300:15)\n
at async NamesAndRoles.getMembers (node_modules\ltijs\dist\Provider\Services\NamesAndRoles.js:73:22)\n
at async c:\Users\TalCharnes\Documents\lti-demo...

[Cvmcosta]

Hello! Did you change the encryption key after registering one of the Platforms? The first parameter of ltijs.setup() is used to encrypt/decrypt the keys used to validate some messages, if you change the encryption key you have to delete and re-register the platforms or just recreate the database.

[tal32123]

I didn't touch the encryption key. I also dropped and recreated the database and it doesn't work for some reason. I'm on windows, localhost if this helps? Also the npm start command was not working (I assume you're on mac/linux?) so I had to change it to this just so it would run: "start": "set DEBUG=provider:* && node index.js"

[tal32123]

Ok, so I completely deleted the db (before I deleted it and set it up on my own again with empty database and empty document). This time I deleted it and ltijs has recreated it. Now it is getting an internal server error:

stack:'HTTPError: Response code 500 (Internal Server Error)\n at Request. (\ltijs-demo-server\node_modules\got\dist\source\as-promise\index.js:117:42)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)'

this seems to be the troublesome part: const access = await got.post(await platform.platformAccessTokenEndpoint(), { form: message }).json();

I do have a token in the message, scope is set to: 'https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly' (not by me)

and setup is like this as I thought token age issue may be affect this:

lti.setup(process.env.LTI_KEY, { url: 'mongodb://' + process.env.DB_HOST + '/' + process.env.DB_NAME + '?authSource=admin', connection: { user: process.env.DB_USER, pass: process.env.DB_PASS } }, { staticPath: path.join(__dirname, './public'), // Path to static files cookies: { secure: false, // Set secure to true if the testing platform is in a different domain and https is being used sameSite: '' // Set sameSite to 'None' if the testing platform is in a different domain and https is being used }, tokenMaxAge: 900, devMode: true // Set DevMode to true if the testing platform is in a different domain and https is not being used })

[Cvmcosta]

Can you show me the logs up until this error? Seeing as this is a 500 error it might be something wrong with the Canvas instance as well, is this your Canvas instance, do you know how it's deployed?

[tal32123]

Debugger attached. provider:main Attempting to connect to database +0ms provider:database Database connected +0ms provider:database Database connection open +3ms provider:main Ltijs started listening on port: 3000 +45ms

---

| | | | | | |/ __| | | | | | | | | (__ | | | | | | | |_ \ | |_| | | |_| || |) | |__|| |____|__/|___/

LTI Provider is listening on port 3000!

LTI provider config:

App Route: / Initiate Login Route: /login Keyset Route: /keys Dynamic Registration Route: /register

Starting in Dev Mode, state validation and session cookies will not be required. THIS SHOULD NOT BE USED IN A PRODUCTION ENVIRONMENT! provider:main Platform already registered +57ms provider:main Receiving request at path: /members +14s provider:main Path does not match reserved endpoints +1ms provider:main Cookies received: +0ms provider:main [Object: null prototype] {} +0ms provider:main Ltik found +2ms provider:main Ltik successfully verified +3ms provider:main Attempting to retrieve matching session cookie +0ms provider:main Dev Mode enabled: Missing session cookies will be ignored +0ms provider:auth Valid session found +0ms provider:main Passing request to next handler +18ms provider:namesAndRolesService Attempting to retrieve memberships +0ms provider:namesAndRolesService Target platform: https://canvas.test.instructure.com +0ms provider:namesAndRolesService Attempting to retrieve platform access_token for [https://canvas.test.instructure.com] +6ms provider:platform Valid access_token for https://canvas.test.instructure.com not found +0ms provider:platform Attempting to generate new access_token for https://canvas.test.instructure.com +0ms provider:platform With scopes: https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly +0ms provider:auth Awaiting return from the platform +0ms Response code 500 (Internal Server Error)

[tal32123]

Its Canvas's test instance

[Cvmcosta]

Is this deployed by instructure themselves? Usually 500 issues on Canvas are caused by misconfiguration during Canvas deployment.

[tal32123]

This is the instructure version, yes.

[tal32123]

Perhaps I shouldn't have upgraded to latest version of ltijs in the ltijs demo server app?

[Cvmcosta]

Maybe, but i don't think this should be an issue. If we don't know exactly what error we are getting on Canvas it's a bit hard to debug. Are you sure the Tool and Platform are both registered correctly within each other (With access to the LTI services configured on Canvas)?

If you have access the Canvas instance logs it might give us some insight.

[tal32123]

I have went back to the prior version of LTIJS, this didn't help so moved back to the newest version

I have tried with localhost and without. I don't know what you mean by tool and platform? I did the registration section for the demo server as such:

  /**
   * Register platform
   */
    await lti.registerPlatform({
    url: 'https://canvas.test.instructure.com',
    name: 'ltijstest',
    clientId: '15751000_MY_CLIENT_ID____',
    authenticationEndpoint: 'https://canvas.test.instructure.com/api/lti/authorize_redirect',
    accesstokenEndpoint: 'https://canvas.test.instructure.com/login/oauth2/token',
    authConfig: { method: 'JWK_SET', key: 'https://canvas.test.instructure.com/api/lti/security/jwks' }
  }) 

[tal32123]

I have tried the above canvas install without localhost as well (http://127.0.0.1:3000 instead of the localhost:3000)

[tal32123]

Other than registering the demo server platform I have not touched anything in the code other than the npm start command being changed to:

"start": "set DEBUG=provider:* && node index.js"

[tal32123]

Could it be because the server for canvas won't work with default setup on the lti demo server or because my server is http/localhost, not https?:

lti.setup(process.env.LTI_KEY,
  {
    url: 'mongodb://' + process.env.DB_HOST + '/' + process.env.DB_NAME + '?authSource=admin',
    connection: { user: process.env.DB_USER, pass: process.env.DB_PASS }
  }, {
    staticPath: path.join(__dirname, './public'), // Path to static files
    cookies: {
      secure: false, // Set secure to true if the testing platform is in a different domain and https is being used
      sameSite: '' // Set sameSite to 'None' if the testing platform is in a different domain and https is being used
    },
    devMode: true // Set DevMode to true if the testing platform is in a different domain and https is not being used
  })

?

[Cvmcosta]

Yes, sorry, i don't know how i didn't think of this before. Your server is hosted on localhost, right? Canvas is trying to reach your JWKS endpoint by calling localhost, that's why it's failing, Canvas is not on the same localhost.

[tal32123]

Thanks, I have set up a server and it definitely helped as now I've moved forward. However, I get unauthorized no matter what I try now (tried a variety of the different instance registrations).

Once I figure this out, I will update the documentation if you'd like in order to save you and others time.

[Cvmcosta]

Do you have any logs up until the error?

[tal32123]

I have tried with the name 'canvas' instead of 'MY_INSTRUCTURE_HOSTED_INSTANCE_NAME' which didn't work either, but this was instructure's suggestion /**

• Register platform */ await lti.registerPlatform({ url: 'https://canvas.test.instructure.com', name: 'MY_APPS_NAME', clientId: 'MY_CLIENT_ID', authenticationEndpoint: 'https://canvas.test.instructure.com/api/lti/authorize_redirect', accesstokenEndpoint: 'https://MY_INSTRUCTURE_HOSTED_INSTANCE_NAME.test.instructure.com/login/oauth2/token', authConfig: { method: 'JWK_SET', key: 'https://canvas.test.instructure.com/api/lti/security/jwks' } })

[tal32123]

issue was in a canvas test instance there needs to be some special setting which I actually looked for after seeing it in their community forums and didn't find. However, after this was set it was fixed.