如何驗證moodle LTI啓動請求

Question

我已經創建了一個LTI工具，我正在使用moodle進行集成。我創建了一個消費者密鑰和祕密，但我不確定如何驗證（驗證）啓動請求。

這是我收到的原始請求，所以我猜我需要驗證oauth_signature來驗證請求。我遇到了一些例子，但我也需要oauth標記，但它並未在啓動請求中返回。

我真的很感激任何幫助！

POST http://ltitest.cloudapp.net/launch HTTP/1.1 
Host: ltitest.cloudapp.net 
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: http://demo.moodle.net/mod/lti/launch.php?id=7 
Connection: keep-alive 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 1296 

oauth_version=1.0&oauth_nonce=d8e900f0b71e76c4b12e89681c9b5cb9&oauth_timestamp=1412987714&oauth_consumer_key=username&resource_link_id=1&resource_link_title=tool&resource_link_description=&user_id=2&roles=Instructor%2Curn%3Alti%3Asysrole%3Aims%2Flis%2FAdministrator&context_id=2&context_label=My+first+course&context_title=My+first+course&launch_presentation_locale=en&lis_result_sourcedid=%7B%22data%22%3A%7B%22instanceid%22%3A%221%22%2C%22userid%22%3A%222%22%2C%22launchid%22%3A449414780%7D%2C%22hash%22%3A%2226f6510ff6e91e1a7814805190c01a9e9d02575de135d7a1483a70626bae8782%22%7D&lis_outcome_service_url=http%3A%2F%2Fdemo.moodle.net%2Fmod%2Flti%2Fservice.php&lis_person_name_given=Admin&lis_person_name_family=User&lis_person_name_full=Admin+User&lis_person_contact_email_primary=demo%40moodle.a&ext_lms=moodle-2&tool_consumer_info_product_family_code=moodle&tool_consumer_info_version=2014051202&oauth_callback=about%3Ablank&lti_version=LTI-1p0&lti_message_type=basic-lti-launch-request&tool_consumer_instance_guid=demo.moodle.net&launch_presentation_return_url=http%3A%2F%2Fdemo.moodle.net%2Fmod%2Flti%2Freturn.php%3Fcourse%3D2%26launch_container%3D3%26instanceid%3D1&oauth_signature_method=HMAC-SHA1&oauth_signature=JmFLDbhi%2FstYEFTSNA%2F44biCQkM%3D&ext_submit=Press+to+launch+this+activity 

Answer 1

我解決了這個問題，雖然它可能適用於任何尋找解決方案的人。

開始通過獲取OAuth的LIB：https://www.nuget.org/packages/Microsoft.Owin.Security.OAuth/

// parse out the signature from the http req. 
ProviderRequest providerRequest = new ProviderRequest(); 
providerRequest.ParseRequest(httpRequest, false); 
String httpSig = providerRequest.Signature; 

// now generate a new signature from our secret 
String generatedSig = GenerateOAuthSignature(secret, req); 

if(generatedSig == httpSig){ 
    // valid oauth request 
} 

生成OAuthSignature是部分owin lib中，但這段代碼的功能：

internal static string GenerateSignatureBase(string httpMethod, Uri url, NameValueCollection parameters) 
    { 
     var normalizedUrl = string.Format("{0}://{1}", url.Scheme, url.Host); 
     if (!((url.Scheme == "http" && url.Port == 80) || (url.Scheme == "https" && url.Port == 443))) 
     { 
      normalizedUrl += ":" + url.Port; 
     } 
     normalizedUrl += url.AbsolutePath; 

     StringBuilder signatureBase = new StringBuilder(); 
     signatureBase.Append(httpMethod.ToRfc3986EncodedString().ToUpper()).Append('&'); 
     signatureBase.Append(normalizedUrl.ToRfc3986EncodedString()).Append('&'); 

     var excludedNames = new List<string> { OAuthConstants.SignatureParameter }; 
     signatureBase.Append(parameters.ToNormalizedString(excludedNames).ToRfc3986EncodedString()); 

     return signatureBase.ToString(); 
    } 

    /// <summary> 
    /// Generates a signature using the specified signatureType 
    /// </summary> 
    /// <param name="httpMethod">The http method used</param> 
    /// <param name="url">The full url to be signed</param> 
    /// <param name="parameters">The collection of parameters to sign</param> 
    /// <param name="consumerSecret">The OAuth consumer secret used to generate the signature</param> 
    /// <returns>A base64 string of the hash value</returns> 
    public static string GenerateSignature(string httpMethod, Uri url, NameValueCollection parameters, string consumerSecret) 
    { 
     var signatureBase = GenerateSignatureBase(httpMethod, url, parameters); 

     // Note that in LTI, the TokenSecret (second part of the key) is blank 
     HMACSHA1 hmacsha1 = new HMACSHA1(); 
     hmacsha1.Key = Encoding.ASCII.GetBytes(string.Format("{0}&", consumerSecret.ToRfc3986EncodedString())); 

     var dataBuffer = Encoding.ASCII.GetBytes(signatureBase); 
     var hashBytes = hmacsha1.ComputeHash(dataBuffer); 

     return Convert.ToBase64String(hashBytes); 
    } 

Answer 2

LTI是由IMS全球學習聯盟定義的，其允許遠程工具和內容從工具提供商（TP）被牢固地集成到工具消費者（TC）的通信協議。

與OAuth 1.0一樣，通過對所有請求參數進行排序，添加使用者密鑰，時間戳和隨機數，並使用共享密鑰將它們散列在一起來生成簽名。您必須驗證簽名並調用請求的已驗證請求的鏈接。

在RFC 5849中，您可以找到相關的文檔和示例。

token 
     A unique identifier issued by the server and used by the client 
     to associate authenticated requests with the resource owner 
     whose authorization is requested or has been obtained by the 
     client. Tokens have a matching shared-secret that is used by 
     the client to establish its ownership of the token, and its 
     authority to represent the resource owner. 

    The original community specification used a somewhat different 
    terminology that maps to this specifications as follows (original 
    community terms provided on left): 

    Consumer: client 

    Service Provider: server 

    User: resource owner 

    Consumer Key and Secret: client credentials 

    Request Token and Secret: temporary credentials 

    Access Token and Secret: token credentials 

而且檢查：Validating launches。