"400 bad request" when open Discourse site

[aihuacville]

There is a “400 bad request” error when opening Discourse page from LIT component in my course that run within my Open edX site.

Version of Discourse: Open edx version: Ginkgo ,Discourse version: v1.9.0.beta14

3 relevant details are as following:

Detail 1/3: Screenshot of the error

Detail 2/3: the code line where I think the program stopped

Detail 3/3: The problematic request.params is printed as following {"resource_link_id"=>"pd.lh4cs.org-acb63f37ee1945b3b32d5a8127696039", "lis_person_contact_email_primary"=>"aihuacville@gmail.com", "user_id"=>"8c7c5a3defcc8df089b41bfd3ad1d695", "roles"=>"Student", "oauth_nonce"=>"88971414880083225381511140253", "oauth_timestamp"=>"1511140253", "lis_result_sourcedid"=>"course-v1%3AUVa%2Blh4cs01%2B2018_T1:pd.lh4cs.org-acb63f37ee1945b3b32d5a8127696039:8c7c5a3defcc8df089b41bfd3ad1d695", "context_id"=>"course-v1:UVa+lh4cs01+2018_T1", "oauth_consumer_key"=>"x123456-d87f-3838-cop.lh4cs.org", "lti_version"=>"LTI-1p0", "oauth_signature_method"=>"HMAC-SHA1", "oauth_version"=>"1.0", "launch_presentation_return_url"=>"", "custom_["=>"https://cop.lh4cs.org/c/lighthouse-cc", "oauth_signature"=>"o3eSM/f0+6BmFvcN/C5/SYpcrP0=", "lis_person_sourcedid"=>"aihua", "lti_message_type"=>"basic-lti-launch-request", "oauth_callback"=>"about:blank"}

--End--

[kevinrobinson]

@aihuacville Thanks for opening!

1. Is there anything in the Course Author experience that's different for your instance? I've never tried this on Open EdX (it should work the same) but that might be something to check first.

2. Did you configure the plugin in your Discourse instance at all? The plugin requires a few site settings to be set, which you can do through the Discourse Admin UI at /admin/plugins and then clicking into settings. If I left this out of the README that's my mistake and we should add it in :)

3. If you visit /logs in your Discourse site, do you see any additional information about why the request failed? If not we could also update the line you called out to print some more helpful error info for debugging.

[kevinrobinson]

Also I'm excited about your course! :)

[aihuacville]

@kevinrobinson Thanks for your quick reply.

1. There are the same regarding Course Author experience

2. I did.

3. I got "oauth request validation failed" from logs file.

[kevinrobinson]

@aihuacville Sure!

Could you say more about why you think lti_strategy.rb#L85 is the line that's raising the error? Or if you could share the stack trace that you see in the /log that would help me understand more too. I don't see "oauth request validation failed" in this repo's code, so am curious where that's coming from (maybe the LTI gem or maybe omniauth).

If you're sure the problem is in the valid_request? then it might help to check the call params. In the request params you pasted above it looks like the consumer key and secret aren't there (which is good! :)) and I'm figuring you can check those on your end.

[aihuacville]

@kevinrobinson Sorry I should not use the quotation marks.

I saw "Invalid LTI request" in the log and "400 Bad Request". I think request.params is the only info it printed for debugging, which I have provided in the earlier message.

I've tried to look in to IMS::LTI::ToolProvider.valid_request(). The document at http://www.imsglobal.org/wiki/step-2-valid-lti-launch-request tells it basically checks the three things: 1. recent-date, 2. one-time-nonce, 2. certificate-signature. I have double-checked and didn't find any problem with the date or the nonce. The consumer key and secret are also consistent on OpenEdx and Discourse.

[kevinrobinson]

@aihuacville Got it, thanks for explaining!

So to clarify: you can verify that the consumer key and secret are correct, and that a particular request object has the parameters it should (based in the LTI docs, including the time stamp). BUt the call to ToolProvider#valid_request returns false? hmm, I’m not sure how else to debug further.

To recap my understanding, the configuration pieces involved here are:

• EdX settings for launch LTI button
• EdX LTI consumer key and secret settings
• Discourse plug-in settings

If all of those look correct to you, and you are still getting a failure on the call to #valid_request, I don’t have any other good ideas beyond that. You could dig in further into the IMS LTI source code to see what's happening, but I'd triple-check the config before diving in.

One thing that was helpful for me in developing the plugin was that you can iterate on it locally with the Discourse Vagrant setup (link). And in production you could fork this repo and set your Discourse instance to use the fork - you can then commit to master on your repo and then update the plugin in the Discourse admin UI in about a minute, so that you can iterate quickly to add more logging, debug, etc.

Let me know if there's anything else I can help with as you're investigating!

[aihuacville]

@kevinrobinson FINALLY I make it work!!!

Tried thousands of times in different ways. BUT finally found in "Custom Parameters", I only need to add: url=https://example.com , no "", no [ ].

[kevinrobinson]

@aihuacville Awesome, nice work! I'll close this issue then and update the docs to include a note about this for other folks as well. Thank you!