Some signatures generated through lti aren't accepted by it because they contain spaces, while the signature generated to confirm the body has plus signs at those locations. I assume this occurs because urllib.parse.parse_qs is used in the lti.utils module.

For instance, calling generate_launch_data() on a ToolConsumer instance might give me fJhMAcT9cEl4uyt3 tM q6QKPcw= as OAuth signature, but oauthlib generates fJhMAcT9cEl4uyt3+tM+q6QKPcw= with the same body and secret.

There is a bug in line 60 of tool_consumer.py. It should not call both unquote and parse_qs. parse_qs unquotes when it parses, so you are seeing a double unquoting going on, the first is taking the %2B and turning it into a + and the second takes the + and turns it into a

The fix is to remove the unquote call on line 60

I am wondering if once this issue is fixed, there will be an issue with the fact that the data is returned as a dict and therefore the order is not guaranteed.

I don't think so. OAuth specifies how to order it, and most frameworks (Django, for instance) provide access to POST data as a dictionary, which is able to be validated directly.