LTI messages must use HTTP POST

[iambpete]

First off, thank you for putting this resource out there. I've been exploring some of the other PHP based LTI 1.3 implementations currently available and the ceLTIc LTI class library and examples has the best documentation hands down! Very much appreciated!

I'm attempting to run the Rating-PHP example application against a Blackboard SaaS test environment. I believe I've ran through all of the steps: registering the 1.3 application via the Blackboard Developer site, adding it as a tool provider via the "Register LTI 1.3/Advantage Tool" option within the Blackboard SaaS environment, etc.

However, the issue I'm running into currently is that I'm receiving the following error in the debug logs when launching the tool within a course: Request failed with reason: 'LTI messages must use HTTP POST'

Just to test, I commented out the associating condition with the LTI 'Tool' library and re-ran the launch request. The next error that appears is Invalid or missing lti_message_type parameter.

I decoded the JWT id_token from the POST request received for 'connect.php' and the payload appears to contain all of the correct information including the message_type "LtiResourceLinkRequest".

Are there any other configuration changes that must be made within the Rating-PHP application in order for it to work with Blackboard?

[spvickers]

I am not aware of any changes which should be required for Blackboard. Are you able to enable debug-level logging in the init function in lib.php and send provide a copy of the HTTP request messages which are being sent and received. Whilst the login initiation request can be sent using GET or POST, I believe the spec requires the response to the authentication request should be a POST, so I do not understand why you are receiving a GET (is it a GET that you are receiving?).

[iambpete]

Here is what I'm seeing upon tool launch via Blackboard. The 'OMITTED' text is just what I manually removed from the log for security.

[Thu Sep 17 11:06:26.082607 2020] [php7:notice] [pid 8643] [client [OMITTED]] [INFO] GET request received for '/blackboard/lti/connect.php?iss=https%3A%2F%2Fblackboard.com&login_hint=https%253A%252F%252F[OMITTED].blackboard.com%252Fwebapps%252Fblackboard%252Fexecute%252Fblti%252FlaunchPlacement%253Fcmd%253Dauthenticate%2C3fcf9a65a9ff424f97f1c3aa25b65b0b&target_link_uri=https%3A%2F%2F[OMITTED]%2Fblackboard%2Flti%2Fconnect.php&lti_message_hint=[OMITTED] &lti_deployment_id=059feade-ef1c-48c8-bf65-6fee9845a23b', referer: https://[OMITTED].blackboard.com/

[Thu Sep 17 11:06:26.684515 2020] [php7:notice] [pid 8638] [client [OMITTED]] [INFO] HEAD request received for '/blackboard/lti/connect.php'

[Thu Sep 17 11:06:26.684596 2020] [php7:notice] [pid 8638] [client [OMITTED]:14296] [ERROR] Request failed with reason: 'LTI messages must use HTTP POST'\nSee: \n /var/www/[OMITTED]/blackboard/lti/vendor/celtic/lti/src/Util.php line 160\n /var/www/[OMITTED]/blackboard/lti/vendor/celtic/lti/src/Tool.php line 371\n /var/www/[OMITTED]/blackboard/lti/connect.php line 33

[Thu Sep 17 11:06:26.891978 2020] [php7:notice] [pid 8643] [client [OMITTED]] [INFO] POST request received for '/blackboard/lti/connect.php' with body parameters of:\narray (\n 'id_token' => '[OMITTED]',\n 'state' => 'Nc2JF1tH',\n), referer: https://[OMITTED].blackboard.com/

[spvickers]

This looks like a valid request from Blackboard and similar to something which I thought I had fixed in the library. Please can you confirm which version of the library you have installed. Thanks.

[iambpete]

According to Composer, I'm using v4.0.3 of the LTI library:

celtic/lti v4.0.3 PHP class library for building LTI integrations firebase/php-jwt v5.2.0 A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.

[spvickers]

Thanks, I'll try to replicate the issue at my end to discover why this is not working - it was working with Blackboard.

[spvickers]

I have not been able to replicate this issue - login initiation requests using GET are working for me. So I am wondering whether there is something about your PHP configuration which is affecting the population of the $_REQUEST variable. Are you able to check what its contents are when a request is received by connect.php?

[iambpete]

Looks like I'm receiving a HEAD request from Blackboard right before the error is presented in the Apache logs:

[Thu Sep 17 13:16:29.843396 2020] [php7:notice] [pid 11277] [client] [INFO] HEAD request received for '/lti/connect.php'

_[Thu Sep 17 13:16:29.843617 2020] [php7:notice] [pid 11277] [client] [ERROR] Request failed with reason: 'LTI messages must use HTTP POST | REQUESTMETHOD: HEAD' nSee: \n /lti/vendor/celtic/lti/src/Util.php line 160\n /lti/vendor/celtic/lti/src/Tool.php line 371\n /lti/connect.php line 33

However, immediately afterward, I'm receiving a POST request that contains the JWT 'id_token' and 'state'.

_[Thu Sep 17 13:35:50.333759 2020] [php7:notice] [pid 12390] [client] [INFO] POST request received for '/lti/connect.php' with body parameters of:\narray (\n 'idtoken' => 'OMITTED',\n)

The JWT payload is populating with what appears to be the intended response. I'm seeing my user's 'given_name', 'email', 'family_name', 'person_sourcedid', etc.

I'm not sure why Blackboard is sending a HEAD request, but I tried modifying connect.php so that it will ignore anything that is $_SERVER['REQUEST_METHOD'] !== "HEAD". That seems to have silenced the error in the debug log; however, I'm not sure whether I still have a problem?

After launching the Rating tool, I don't see any errors; however, I am seeing a message indicating: "Your course does not appear to offer the ability to access a list of users."

I double-checked to make sure I have "Allow Membership Service Access" enabled as well as all of the "User Fields to Send" options selected in the Tool Admin.

[spvickers]

If the error is being generated from a HEAD request surely it can just be ignored as the expected GET or POST request is then being sent anyway which is what the tool needs.

As for the Memberships service, have you configure the tool with a URL for the access token service? Have you given Blackboard a public key or a public key URL, and whichever you have provided are they correct. What HTTP requests do you see being logged when access to the Memberships service is being attempted? If none, then perhaps the launch being made has not included the endpoint for the service for some reason - check the JWT received.

[iambpete]

Ok, I think I've finally got things straightened out now.

It appears that the membership issue was 100% due to my failure to create a proper placement within the course. I had been adding the tool via "Build Content -> Web Link (This link is to a Tool Provider)". However, once I created either a "Course content tool" or "Course tool" placement for it via the Admin Panel, the users now appear when launching the tool.

Stephen, thank you so much for your help, expertise, and quick response to my LTI noobie questions. Again, much appreciated!

[spvickers]

Excellent news, thanks for letting me know. I shall be adding in a check for HEAD requests in the next release.