Integrations Documentation

LTI Advantage - Developer FAQ

General

Q: Does Brightspace implement quota policies, or other usage restrictions such as rate limits, for extension requests?

A: Yes and no. For LTI Advantage 1.3 the LTI endpoints for AGS and NRPS are rate limited the exact same way as Brightspace APIs. Rate limiting is based on a per integration basis, not a per user basis. LTI legacy 1.1 outcomes are not rate limited.

Q. I receive a “422 unprocessable entity” when sending a LineItem score from a tool to Brightspace.

A. This error message appears when a tool attempts to send a LineItem score for a non-gradeable user role.

This functionality is controlled by enabling the Can be graded in Grades option in the user role settings in the Roles and Permissions tool.

To make the user role gradeable:

From the Admin Tools menu, click Roles and Permissions.
From the context menu of the role for which you want to edit properties, click Edit Settings.
In the Tool Behavior Options area, select the Can be graded in Grades check box.
Click Save and Close.

Authentication

Q: I receive a 404 error when trying to re-launch back to the Brightspace platform.

A: You must include all the parameters (including optional state) when performing a re-launch to bind the request.

Q: What values are required in the request for an Oauth 2.0 access token?

A: The below values are required:

iss: A unique ID for the entity that issued the JWT. The value of client_id from the platform. Same as sub.
sub: Same as iss, the client_id value of Oauth from the platform.
aud: Authorized server identifier(s) (provided by the platform).
- Given during tool registration via UI.
- URL: https://api.brightspace.com/auth/token They don’t go here, only pass this value in aud claim.
iat: Timestamp for when the JWT was created.
exp: Timestamp for when the JWT should be treated as expired.
jti: A unique identifier (potentially reusable) for the token.

Source: Using JSON Web Tokens with OAuth 2.0 Client-Credentials Grant

Q: Does Brightspace support public and private keys from a tool?

A: No, Brightspace supports a tool's JWK Key Set only.

Q: I'm receiving "error_description": "Error validating assertion: KeyId not found in token".

A: Brightspace supports a tool's JWKS routes. The key must be wrapped in a keys array as per the JWKS standard.

Q: I'm receiving an "error":"invalid_client".

A: The iss must be the client id which is the same as the sub. Refer to IMS Global's Token endpoint claim and services documentation for more details.

Q: When requesting an access token for the LTI service, I am receiving the following failure statements:

{"error":"invalid_grant","error_description":"Client is not authorized to set a 'kid' claim"}
{"error":"invalid_grant","error_description":"Error validating assertion: KeyId not found in token"}

A: Kid should only be included in the header and not in the payload.

Q: Sometimes sending a request to the auth service fails with an unknown error, such as:

{"error":"server_error","error_description":"An unexpected exception occurred"}

A: This is being thrown by our authentication service, which can be difficult to debug. Usually the errors are more clear, but in cases where they are not, the best option is to have the tool retrieve the request and send it to us to debug the issue.

Q: Does the platform support GET or POST for authorizing redirect URLs?

A: Both GET and POST are supported methods

Q: Does the platform support one-time public keys or JWKS URL?

A: Brightspace supports the use of JWKS URLs for both the platform keys and to retrieve the keys from the tool.

Q: What signing algorithms are supported?

A: RS256 is the supported algorithm.

Q: What size of key is supported: 1024 or 2048?

A: 2048 is the supported key size.

Q: What is the token retrieval endpoint for the platform?

A: Brightspace OAuth2 Access Token URL: https://auth.brightspace.com/core/connect/token

Q: I am receiving a Bad Request error.

A: Check the D2L System Log for any of the following messages:

Invalid Message Hint: The hint doesn't exist.
Message Hint Expired: This hint expired. Hints have a ten-minute expiry window for the initial login.
Failed to parse message hint: The hint doesn't have the correct format. Refer to the lti_message_hint login parameter specifications for more detail.

Assignments & Grades Service

Q: Which OAuth 2.0 grant type does the platform support for Assignments & Grades service?

A: We follow the security specification from IMS Global: Using JSON Web Tokens with OAuth 2.0 Client Credentials Grant.

Q: My tool is returning a grade, but the grade book is not being updated.

A: The Grades tool only reflects grades received from the tool that has a status of Fully Graded.

Q: My LineItem pass back is either failing or is not being created when I add it via Insert Stuff.

A: The line item passback will fail when using ISF or deep linking quicklink within the HTML editor. Line item passback works when creating an LTI content topic using a deep linking quicklink.

D2L recommends creating an LTI content topic using a deep linking quicklink rather than embedding within an HTML file.

Q: I am receiving the following error message: "LineItem cannot be associated with a widget context_launch resource link id".

A: Standalone LineItems will be accepted, but a LineItem cannot be associated with a widget in Brightspace.

Names & Roles

Q: I am not getting users unknown to my tool from the class list when using the Names & Roles Extension.

A: The following reasons could affect how the platform decides to send users over:

“Send Unknown Users” toggle: The obvious one is the toggle at the deployment level that dictates whether a tool is allowed to receive users it doesn’t already know about. As of Brightspace version 20.20.11, if “Classlist including users not known to this deployment” is enabled, then an NRPS request from the tool will auto-generate an LTI UserId for any user who has never launched an LTI link in Brightspace.
Structure of your GET: Depending on your tool, it's possible to request the class list in filtered views that don’t ask for “all users”. Tools should ensure that your request is structured to get any users in a given course via their N&R API call.

Deep Linking

Q: I'm receiving an "IDX10511: Signature validation failed" message.

A: In this case, the modulus started with 00. There is a bug in .NET that is unable to handle this and the extra byte should be removed before encoding.

Q: Posting back during the deep linking workflow returned me to an Internal Error or a 500.

A: KID must be included in the header of the JWT.

Q: The deep linking return is failing with no error.

A: Always check the System Log. Further information including the message will be visible in the system log to help troubleshoot the issue. For example: "Could not find public key with id" would mean that the KID in the JWT doesn't appear in the JWKS.

Q: I'm getting a bad request when sending back data from my tool.

A: The message hint expires after six hours. If you are in the tool for longer than six hours before returning back data, the message hint will expire and result in a bad request.

Migration API

Q: I have a custom widget using LTI 1.1. Can I migrate it using the API to LTI 1.3?

A: No. We recommend recreating the widget using the LTI 1.3 placement workflow.