--- loncom/lti/ltiroster.pm	2017/12/09 16:24:03	1.2
+++ loncom/lti/ltiroster.pm	2018/08/14 23:50:20	1.5
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # LTI Consumer Module to respond to a course roster request.
 #
-# $Id: ltiroster.pm,v 1.2 2017/12/09 16:24:03 raeburn Exp $
+# $Id: ltiroster.pm,v 1.5 2018/08/14 23:50:20 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -32,6 +32,7 @@ use strict;
 use Apache::Constants qw(:common :http);
 use Encode;
 use Digest::SHA;
+use URI::Escape;
 use Apache::lonnet;
 use Apache::loncommon;
 use Apache::lonacc;
@@ -41,14 +42,36 @@ use LONCAPA::ltiutils;
 sub handler {
     my $r = shift;
     my %errors;
+    my $params = {};
+    my ($oauthtype,$authheader);
+#
+# Retrieve content type from headers
+#
+    my $content_type = $r->headers_in->get('Content-Type');
+    if ($content_type eq 'application/xml') {
+        $oauthtype = 'consumer';
+#
+# Retrieve OAuth data sent by LTI Provider from Authorization header
+#
+        $authheader = $r->headers_in->get('Authorization');
+        my ($authtype,$valuestr) = ($authheader =~ /^(OAuth)\s+(.+)$/i);
+        if (lc($authtype) eq 'oauth') {
+            foreach my $pair (split(/\s*,\s*/,$valuestr)) {
+                my ($key,$value) = split(/=/,$pair);
+                $value =~ s /(^"|"$)//g;
+                $params->{$key} = URI::Escape::uri_unescape($value);
+            }
+        }
+    } else {
+        $oauthtype = 'request token';
 #
 # Retrieve data POSTed by LTI Provider
 #
-    &Apache::lonacc::get_posted_cgi($r);
-    my $params = {};
-    foreach my $key (sort(keys(%env))) {
-        if ($key =~ /^form\.(.+)$/) {
-            $params->{$1} = $env{$key};
+        &Apache::lonacc::get_posted_cgi($r);
+        foreach my $key (sort(keys(%env))) {
+            if ($key =~ /^form\.(.+)$/) {
+                $params->{$1} = $env{$key};
+            }
         }
     }
 
@@ -122,9 +145,9 @@ sub handler {
     if ($ENV{'SERVER_PORT'} == 443) {
         $protocol = 'https';
     }
-    unless (LONCAPA::ltiutils::verify_request($params,$protocol,$r->hostname,$r->uri,
+    unless (LONCAPA::ltiutils::verify_request($oauthtype,$protocol,$r->hostname,$r->uri,
                                               $env{'request.method'},$consumer_secret,
-                                              \%errors)) {
+                                              $params,$authheader,\%errors)) {
         &invalid_request($r,\%errors);
         return OK;
     }
@@ -180,7 +203,7 @@ sub handler {
                                                     \%toolsettings,\%ltitools) eq 'ok') {
             if ($toolsettings{'gradesecret'} ne '') {
                 $needsresult = 1;
-                $gradesecret = $ltitools{'gradesecret'};
+                $gradesecret = $toolsettings{'gradesecret'};
             }
         }
     }