i)ddlZddlZddlZddlmZmZddlZddlZddlm Z m Z m Z m Z m Z mZmZddlmZmZmZddlmZddlmZddlmZddlmZddlZdd lmZmZmZm Z ddl!m"Z#dd l$m%Z%e%e Z&ejNejP ejRe*Z+ejXd d Z-dZ.e-dZ/dZ0dZ1e-dZ2ejXddZ3ejXddZ4ejXddZ5ejXddZ6iZ7iZ8iZ9dZ:defdZ;dede Canvas will POST an id_token (JWT) after OIDC login. NrCrIzMissing id_token or state status_codedetailzInvalid or expired stater=zInvalid id_token header: r1zNo matching JWK for kid=RS256) algorithmsaudienceissuerizFailed to verify id_token: zInvalid nonce in id_tokensubcode)claimsrI auth_coder>z7

LTI Launch Success

sub (user id): z

deployment_id: z7https://purl.imsglobal.org/spec/lti/claim/deployment_idz

message_type: z6https://purl.imsglobal.org/spec/lti/claim/message_typez

lti_version: z1https://purl.imsglobal.org/spec/lti/claim/versionz

auth_code: z

)indentz3

Next: call /token_exchange?sub=z.&grant_type=authorization_code

)rWr(r rSrget_unverified_header Exceptionr/r5decoderr[rRIN_MEMORY_LAUNCHESr+dumpsr )r:rWrCrIexpected_nonceheaderser1r0jwkrmrkrnhtmls r.launchr{s/  Dxx #H HHW E 54OPP O#4NOO$U+G4NU++H5 ++e C D D# &C 6Nse4TUU W  y  zz'n,4OPP **U C 6"I99; sezz"[\]^jj!YZ[\ZZ STUV+ **VA & '(--0E2 D  y  U6OPQs4STTU  W6QRSQT4UVVWseG:F2AG:0F5G:#G$"G:#G*C G:5 G>GGG: G7"G22G77G:z/token_exchangerk grant_typec,K|tvr tddt|}i}|dk(r8|djd}|s tdddttt |d }n"|d k(rd ttd d }n tdd t jt4d{} |jt|ddid{}|jdddd{j!} | t#j"dt$|<t'| S77_#t j$rB}|j|jjn t|}tdd|d}~wwxYw7#1d{7swYxYww)z Exchange for an access token that can be used to call Canvas APIs. Supports: - grant_type=authorization_code (preferred in Canvas LTI 1.3) - grant_type=client_credentials (if enabled by your Canvas admin) zLaunch not found for subrdauthorization_codermz.https://purl.imsglobal.org/spec/lti/claim/codercz,No authorization code found in launch claims)r|rH client_secret redirect_urirlclient_credentialszurl:GET|/api/v1/*)r|rHrrLzUnsupported grant_typer#NAcceptzapplication/json)datarwizToken endpoint error: )token_response obtained_at)rtr r(rrr r%r&r'postTOKEN_ENDPOINTr*HTTPStatusErrorresponsetextstrr+rRIN_MEMORY_ACCESS_TOKENSr) rkr|r{rrlr,respexcrrs r.token_exchangers $$4NOO  $F D))h##$TUC8fg g/"*+   + +."*(  4LMM  7YY6 Y^$SeHfggD  ! ! #YYYY[N)yy{$C  ''!Yg$$ Y(+ (@3<<$$c#hDC:PQUPV8WX X Y YYYYsxBF D!!F$E?&D%D#D% F#E=$>F#D%%E:8=E55E::E?=F?FF F Fz /canvas_apiendpointc>K|tvr tddt|djd}|s tdd|jdsd|z}t|}t j t 4d {}|j|d d |i d {}|jdk\r$t|jd|jt|jcd d d d {S77c7 #1d {7swYy xYww)z Call a Canvas REST API endpoint using the stored access token. - endpoint should be the path under /api/v1 (e.g. /users/self/profile, /courses) r~z:No access token found for sub. Call /token_exchange first.rdr access_tokenrcz3Stored token response does not include access_token/r#N AuthorizationzBearer )rwzCanvas API returned error: ) rr r( startswithCANVAS_API_BASEr%r&r'rerrr+)rkrtokenr`r,r-s r. canvas_apirs  ))4pqq #C ()9 : > >~ NE 4ijj   s #>  hZ (C  7&&6**S?geWDDDD D!AD0 D<D=DDDDD DDz /_debug/statecKtSwN)rSr6r. debug_stater+s  z/_debug/launchescKtSwr)rtrr6r.debug_launchesr0s rz/_debug/tokenscKtSwr)rrr6r. debug_tokensr5s ""r)r)z /users/self)Gosr+rRtypingrrloggingr%fastapirrrrr r r fastapi.responsesr r rjoser jose.utilsr urllib.parserrrPdb_config.modelsrrrrdb_config.databasedatabasedbasedotenvrrouter basicConfigINFO getLogger__name__rYgetenvrr]rr)r[rrrr\r rSrtrr'r/rr5 api_routerar{r(rrrrrrr6r.rs^ ! WWWJJ'"MM" ',,'   8 $ bii 'BC L= 34F 0  M) BIIk#7 8  /+mn  -r2 "))-/ab $Dsx~(UFO4:! :!5:!z)eV_5@'@6@F 9(c9(s9(9(xM&#&&&8O   ##r6