使用 HMAC-SHA1 生成 OAuth 签名？

Question

我很抱歉问了这么多问题，但似乎都没有得到回答，我真的需要帮助。我正在使用 LTI 将我的程序集成到学习管理系统中，并且我需要使用 OAuth 进行身份验证。按照here 的指导方针生成签名没有问题，但我生成的签名与 LMS 传递给我的签名永远不匹配，而且我终其一生都无法弄清楚为什么它们永远不匹配。我希望这是我忘记的事情，但我真的需要一些帮助。

当我从 LMS 启动我的程序时，我会通过 POST 在所谓的 LTI 启动中发送这个数组：

array(
  'launch_presentation_locale' => 'EN-US__',
  'tool_consumer_instance_guid' => 'key',
  'tool_consumer_instance_name' => 'MyProgram',
  'tool_consumer_instance_description' => 'MyProgram',
  'tool_consumer_instance_contact_email' => 'johndoe@email.com',
  'tool_consumer_info_version' => '10.3.0 SP5',
  'tool_consumer_info_product_family_code' => 'desire2learn',
  'context_id' => '2440554',
  'context_title' => 'ContextTitle',
  'context_label' => 'ContextTitle',
  'context_type' => '',
  'user_id' => 'USER_ID',
  'roles' => 'None',
  'lis_person_name_given' => 'John',
  'lis_person_name_family' => 'Doe',
  'lis_person_name_full' => 'John Doe',
  'lis_person_contact_email_primary' => 'johndoe@email.com',
  'ext_tc_profile_url' => 'https://profileurl.com',
  'ext_d2l_token_id' => '123456789',
  'ext_d2l_link_id' => '1234',
  'ext_d2l_token_digest' => 'AbCdEfGhIjKlMnOpQrStUvWxYzi=',
  'resource_link_id' => '',
  'resource_link_title' => 'MyProgram',
  'resource_link_description' => 'MyProgram',
  'lis_result_sourcedid' => 'abcdefgh-ijkl-mnop-qrst-uvwxyz012345',
  'lis_outcome_service_url' => 'https://outcomeserviceurl.com',
  'lti_version' => 'LTI-1p0',
  'lti_message_type' => 'basic-lti-launch-request',
  'oauth_version' => '1.0',
  'oauth_nonce' => '123456789',
  'oauth_timestamp' => '1234567890',
  'oauth_signature_method' => 'HMAC-SHA1',
  'oauth_consumer_key' => 'key',
  'oauth_callback' => 'about:blank',
  'oauth_signature' => 'eFUR8O5xVydLrj4PDj37nF4cq6A=',
  'basiclti_submit' => 'Launch Endpoint with BasicLTI Data'
);

这是我正在尝试的。我添加了 cmets 来阐明这些步骤：

// Set variables that are required for the signature to be generated. 
$OAUTH_KEY = 'key';
$OAUTH_SECRET = 'secret';
$httpMethod = 'POST';
$SITE_URL = 'https://localhost/test.php';

// make array copy of entire POST data, remove the 'oauth_signature' field as specified in the oauth spec from the copy array, then sort alphabetically. After that, url encode the key/value of each item in the copy array and store into a string for later use.
$request_parameter_array = $_POST;
unset($request_parameter_array['oauth_signature']);
ksort($request_parameter_array);
$request_parameter_str = '';
foreach($request_parameter_array as $key => $value) {
    $request_parameter_str .= rawurlencode($key) . '=' . rawurlencode($value) . '&';
}

// create the signature base string (string variable that the actual signature is created from) by following these steps from the OAuth documentation:

//     1.  The HTTP request method in uppercase.  For example: "HEAD",
//         "GET", "POST", etc.  If the request uses a custom HTTP method, it
//         MUST be encoded (Section 3.6).

//    2.  An "&" character (ASCII code 38).

//    3.  The base string URI from Section 3.4.1.2, after being encoded
//        (Section 3.6).

//    4.  An "&" character (ASCII code 38).

//    5.  The request parameters as normalized in Section 3.4.1.3.2, after
//        being encoded (Section 3.6).

$key = rawurlencode($OAUTH_SECRET) . '&';
$signature_base = strtoupper($httpMethod) . '&' . rawurlencode($SITE_URL) . '&';
$signature_base .= rawurlencode($request_parameter_str);

$signature = base64_encode(hash_hmac("sha1", $signature_base, $key, true));
echo $signature;

Answer 1

我想我自己的愚蠢是问题所在，在这里。这个问题是由 D2L 本身引起的，因为我误解了使用工具链接和工具提供者进行集成之间的区别。我从字面上删除了我的工具提供程序并使用了工具链接，现在我每次都可以进行身份​​验证。

事实证明这里的代码根本没有问题。