Error message is returned after a due date has expired.
The error is (LTI error:
access token is for another tenant"})
It is occurring for a limited number of course student sets when a due date passes. What is this error message and what may cause it?
Thanks!
Answers
-
Can you give more information around this error? What is the context of encountering it? How do we know that it's an "LTI error"? Do we know what integration/application is causing this? @Patricia.Lochary8224
-
The courses are integrated via LTI 1.3. The error occurs after a student completes an assignment on the digital landing page when the due date expires.
-
I am also facing same issue getting error
{ "type": "http://docs.valence.desire2learn.com/res/apiprop.html#invalid-token", "title": "Unauthorized", "status": 401, "detail": "The access token is for another tenant"}
calling this whoami api
/d2l/api/lp/1.26/users/whoami
It works for me for auth and refresh token I get accesstoken and when I try above API getting error I have scope enabled for above.
Can you tell me what is wrong here , how me or admin can fix this -
Every access token is tied to a specific instance of Brightspace: you cannot use an access token granted to you for one back-end service (one tenant, one Brightspace instance) to gain access to APIs on another Brightspace.
-
Here is one issue for getting a authorisation then if I am using university URL to login , I get below page
https://brightspace.missouristate.edu/oauth2/auth?client_id=7f56c153-42ff-4f5b-90cf-afdf5cbb3a92&response_type=code&state=tool_293&redirect_uri=https://www.globalyceum.com/tools/oauth_complete&force_login=1&scope=quizzing:quizzes:read quizzing:quizzes:create quizzing:quizzes:delete quizzing:quizzes:write quizzing:access:read grades:access:read grades:gradeobjects:delete grades:gradeobjects:read grades:gradeobjects:write grades:gradevalues:read grades:gradevalues:write lti:links:create lti:links:delete lti:links:read lti:links:update orgunits:course:read users:profile:read users:own_profile:read users:userdata:read core::
So when I update the URL to get success page
https://auth.brightspace.com/oauth2/auth?client_id=7f56c153-42ff-4f5b-90cf-afdf5cbb3a92&response_type=code&state=tool_293&redirect_uri=https://www.globalyceum.com/tools/oauth_complete&force_login=1&scope=quizzing:quizzes:read quizzing:quizzes:create quizzing:quizzes:delete quizzing:quizzes:write quizzing:access:read grades:access:read grades:gradeobjects:delete grades:gradeobjects:read grades:gradeobjects:write grades:gradevalues:read grades:gradevalues:write lti:links:create lti:links:delete lti:links:read lti:links:update orgunits:course:read users:profile:read users:own_profile:read users:userdata:read core::
I have changed from brightspace.missouristate.edu to auth.brightspace.com then only I get code to refresh token but as you said above now I am having tenant issue
Can you tell me how I solve this issue -
You should ensure that you are properly following the Authorization Code Grant workflow, as described in our docs and in the OAuth2 specification and enablement materials; from your notes there, I'm not sure that you are. Brightspace does not support other OAuth2 workflows for third-party applications.
-
Hi @Viktor.H.147 ,
I am following the Authorization Code Grant workflow but getting error in any api I am using for example this api
https://devcop.brightspace.com/d2l/api/lp/1.26/users/whoami
or
https://devcop.brightspace.com//d2l/api/lp/1.25/enrollments/myenrollments/
or
https://devcop.brightspace.com//d2l/api/lp/1.26/enrollments/myenrollments/
for any of API its not working for me, Can you tell me what I am doing wrong if you need more details I am ready to share.
I am having issue with this university https://brightspace.missouristate.edu while test account I create on https://devcop.brightspace.com/d2l/login works for me
{ "type": "http://docs.valence.desire2learn.com/res/apiprop.html#invalid-token", "title": "Unauthorized", "status": 401, "detail": "The access token is for another tenant"} -
Again, the error you are receiving is indicating that you have an access token for one Brightspace and then are attempting to use that token with another Brightspace. This is not permitted. Since you say that your APIs work on devcop, but not on another LMS, I would suggest that what you're doing is getting an access token that is for the devcop Brightpace, and then attempting to use that token on the university Brightspace — you cannot do this.
You must get an access token intended for the university LMS, and this means that you must also involve a user that can log in to the university LMS in order to complete the three-legged Authorization Code workflow. -
Hi @Viktor.H.147 ,
Got your point, Can you able to help me what will be the URL/endpoint for an LMS for example.
https://brightspace.missouristate.edu what is URL/ Authorization endpoint As I can see in this doc https://docs.valence.desire2learn.com/basic/oauth2.html its below for devcop- Authorization endpoint: https://auth.brightspace.com/oauth2/auth
- Token endpoint: https://auth.brightspace.com/core/connect/token
But Can you help me to get end point for this LMS https://brightspace.missouristate.edu
From where I can get endpoint for it because same endpoint does not work for me, its show me error page that I have already attached.
With above endpoint I also want to know the endpoint for LMS for other API like below is for devcop
Now a new user which is from this LMS https://brightspace.missouristate.edu now what will be the endpoint for below api what will change in place of devcop for an LMS as above mentioned
https://devcop.brightspace.com/d2l/api/lp/1.26/users/whoami
or
https://devcop.brightspace.com/d2l/api/lp/1.25/enrollments/myenrollments/ -
I believe the Authorization Code grant workflow determines the appropriate Brightspace to involve via the Client ID that you provide to the Authorization server.
This means that you cannot use the Client ID you've gotten for your app on the devcop Brightspace instance, because then the Authorization Server will infer that your Brightspace is the devcop Brightspace. You must, instead, register your application within the university Brightspace and use that Client ID when you connect to the authorization server.
-
Hi @Viktor.H.147 ,
I have been register withuniversity Brightspaceand got client Id as well with secret and I am using same client ID as I have mentioned above as well these are LMS newly created client ID and now I am getting error which I have mentioned. thatswhy I am asking is there any different endpoint ? for whomai api ?
I got client ID shared by university admin and same I am using -
The error you report seems to clearly indicate you are trying to use an access token across several Brightspaces, so I don't think there is a problem with the API path you are trying to use (or, at least, the error is occurring before the API path would come into consideration). The path you mention for the whoami API seems to be fine.
-
Hi @Viktor.H.147 ,
Again I am on same issue my issue is still not resolved
1. I got client ID from LMS
2. Used Auth end point same as in doc
3. Got access token and resfresh token (login by university user)
4. accessing API as there is no path change
As in above mentioned you are saying there is no path change in niether auth endpoint not token end point and not in whoami path
then where there is issue how token is checking and indicating I am using another.
I am still in same situtaion my problem is still exist if nothing I have to change then why I am getting error?
let me know if you need more details to solve my issue -
I'm sorry, I don't think I'm able to provide further assistance here; my only recommendation is to do what you'd do as normal practices to debug code problems — investigate each step to make sure your code is doing what you think it's doing.
