Integrations Documentation

LTI Advantage - Developer FAQ

General

Q: Does LMS implement quota policies or other usage restrictions, like rate limits, for extension requests?

A: Yes and No. For LTI Advantage 1.3 the LTI endpoints for AGS and NRPS are rate limited the exact same way as Brightspace APIs. Rate limiting is based on a per integration basis, not a per user basis. LTI legacy 1.1 outcomes are not rate limited.

Q. I’m Receiving a “422 unprocessable entity” when sending a LineItem score from a tool to the platform.

A. This error message is sent when a tool attempts to send a LineItem score for a non-gradeable user, this functionality is controlled by the Can be graded in Grades option. This can be found by navigating to Roles and Permissions > Edit Settings > Tool Behaviour Options.

Authentication

Q: I'm receiving a 404 when trying to re-launch back to the platform.

A: You must include all the parameters (including optional state) when performing a re-launch to bind the request.

Q: What values are required in the request for an auth token?

A: The below values are required:

iss: A unique ID for who issued the JWT. the value of client_id from the platform. Same as sub.
sub: Same as iss, client_id value of Oauth from platform.
aud: Authorized server identifier(s), provided by the platform.
- Given in tool registriation via UI.
- URL: https://api.brightspace.com/auth/token They don’t go here, only pass this value in aud claim.
iat: Timestamp the JWT was created.
exp: Timestamp for JWT to expire.
jti: A unique identifier (potentially reusable) for the token.

https://www.imsglobal.org/spec/security/v1p0#using-json-web-tokens-with-oauth-2-0-client-credentials-grant

Q: Does Brightspace support public and private keys from a tool?

A: No, as per Best Practices, Brightspace decided to support tool's JWK Key Set only.

Q: I'm receiving "error_description": "Error validating assertion: KeyId not found in token".

A: Brightspace supports tool's JWKS routes. The key must be wrapped in a keys array as per the JWKS standard.

Q: I'm receiving an "error":"invalid_client"?

A: The iss must be the client id which is the same as the sub. It was a late addition to the spec.

Q: When requesting an access token for the LTI service, I am receiving failure which states something like:

{"error":"invalid_grant","error_description":"Client is not authorized to set a 'kid' claim"}

{"error":"invalid_grant","error_description":"Error validating assertion: KeyId not found in token"}

A: Kid should only ever be included in the header and not in the payload.

Q: Sometimes sending a request to the auth service fails with an unknown error, such as:

{"error":"server_error","error_description":"An unexpected exception occured"}

A: This is being thrown by our authentication service, which can be difficult to debug. Usually the errors are more clear, but in cases where they are not, our best chance is to have the tool retrieve the request and send it to us to debug the issue.

Q: Does the platform support GET or POST for authorizing redirect URLs?

A: Both GET and POST are supported methods

Q: Does the platform support one-time public keys or JWKS URL?

A: We support the use of JWKS URLs for both the platform keys and to retrieve the keys from the tool.

Q: What signing algorithms are supported: RS225 or RS512?

A: RS256

Q: What size of key is supported: 1024 or 2048?

A: 2048

Q: What is the token retrieval endpoint for the platform?

A: Brightspace Oauth2 Access Token URL: https://auth.brightspace.com/core/connect/token

Q: I am receiving a Bad Request.

A: Check the D2L System Log for any of the following messages:

Invalid Message Hint: The hint doesn't exist.
Message Hint Expired: This hint expired. Hints have a ten-minute expiry window for the initial login.
Failed to parse message hint: The hint doesn't have the correct format. See spec.

Assignments & Grades Service

Q: Which OAuth 2 grant type does the platform support for Assignments & Grades service?

A: We follow the security spec: Oath 2 client credentials grant.

Q: My tool is returning a grade, but the grade book is not being updated.

A: The Brightspace grade book will only reflect grades from the tool with a status of Fully Graded.

Q: My LineItem pass back is either failing or is not being created when I add it via Insert Stuff or through the course builder deep link quick link.

A: D2L recommends using a QuickLink instead if a LineItem is required. For the course builder workflow, clicking the link in the right-side panel allows the tool to send the information to create the LineItem.

Q: "LineItem cannot be associated with a widget context_launch resource link id".

A: Standalone LineItems will be accepted, but a LineItem cannot be associated with a widget in Brightspace.

Names & Roles

Q: I am not getting users unknown to my tool from the class list when using the Names & Roles Extension.

A: There are a few reasons that could affect how the platform decides to send users over:

“Send Unknown Users” Toggle: The obvious one is the toggle at the deployment level that dictates whether a tool is allowed to receive users it doesn’t already know about. As of Brightspace version 20.20.11, if “Classlist including users not known to this deployment”, then an NRPS request from the tool will auto-generate an LTI UserId for any user who has never launched an LTI link in Brightspace.
Structure of your GET: A tool side thing, it's possible to request the class list in filtered views that don’t ask for “all users”. Tools should ensure that your request is structured to get any users in a given course via their N&R API call.

Deep Linking

Q: I'm receiving an "IDX10511: Signature validation failed."

A: In this case, the modulus started with 00. There is a bug in .NET that is unable to handle this and the extra byte should be removed before encoding.

Q: Posting back during the deep linking workflow returned me to an Internal Error or a 500.

A: KID must be included in the header of the JWT.

Q: The deep linking return is failing with no error.

A: Always check the System Log. Further information including the message will be visible in the system log to help troubleshoot the issue.

Example: Could not find public key with id would mean that the KID in the JWT doesn't appear in the JWKS.

Q: I'm getting a bad request when sending back data from my tool.

A: The message hint expires after six hours. If you are in the tool for longer than six hours before returning back data, the message hint will expire and result in a bad request.

Migration API

Q: I have a custom widget using LTI 1.1. Can I migrate it using the API to 1.3?

A: No. We recommend recreating the widget using the LTI 1.3 placement worklfow.