Description:
I am facing an issue with an LTI 1.3 launch to Turnitin after enabling Reusable Configuration in the Open edX LTI Store.
When launching without reusable configuration, the LTI launch works fine.
However, after switching to reusable configuration, the launch fails with a Turnitin authorization error.
Reference ID: 112be23c-1d33-47a5-9c40-304b4f9493a7
Unable to authorize launch Internal signing validation error.
If this error continues, please contact your administrator or Turnitin support.
Observations
The only difference between both URLs is the lti_message_hint value.
LMS logs show a valid JWKS response:
GET /api/lti_consumer/v1/public_keysets/42673c39-f783-4822-a927-909d1ee55a03 200
→ So JWKS and key discovery are functioning properly.
The issue occurs only after enabling LTI Store Reusable Configuration.
Turnitin seems to reject or fail to validate the lti_message_hint generated in this context.
Questions for the community
Is there any known issue with lti_message_hint generation in reusable configurations?
Does the LTI Store modify or re-generate lti_message_hint between launches?
Has anyone successfully integrated Turnitin LTI 1.3 using reusable configuration on Teak?
Could Turnitin be rejecting hints that differ in length or encoding?
Hi @Meet_Boghani, I think the lti_message_hint is probably not the actual issue. That will be different each time the platform initiates a handshake with the tool. I think the thing to focus on is probably the error message about the Internal signing validation error
If I’m reading it correctly, I think it means that the tool is having trouble validating the message using the the public key that it has.
Is the tool set to validate using the public JWK URI for the lti-store? or is it still trying to verify the public key from the bulit-in version of the block?
Unless you specifically used the same private key in the external config as was in the internal configuration, the lti-store block would just generate a new private key and so the signing might not match as expected. If you’re copying values from the LtiConfiguration table to the ExternalLtiConfiguration then hopefully you copied that key over. Otherwise, you’ll need to update the tool to point to the lti-store key url.
Thanks, for replying @feanil and sorry for the late reply I was busy with other stuffs. I will look into this and let you know if I face any difficulties even after following you steps.
@feanil I believe the issue might be the private key which I used in the lti-store. But, the thing is the third-party lti which I am using doesn’t provide any private key and the field is mandatory. So, to resolve that I created a private key using the command line and I used that one, which I think might be the issue. So, if it’s possible and you can guide how I can resolve or which steps I should perform to overcome this issue would be a great help. Thanks in advance.
@Meet_Boghani that private key is not one provided by the tool but the one that the platform uses to sign its communication to the tool. The LMS should produce a new Keyset URL for the private key you provided. And you should make sure the Keyset URL set in the tool matches the one for the component in the LTI Store.
@feanil Thank you very much it’s working now. I was not able to see the private key in the studio LTI configuration as no field was there with that name then I went to admin panel and found it. Now it is working thanks for the help.