Community Help

jrpburgos · ‎04-29-2020

I wanted to know what format should the output be from a Public JWKS Url (from a Tool provider) that is used in LTI 1.3?

This is what we are sending out in our public url

{
"keys": [
{
"kid": "PKOegFlbTOO7tlr2UQpcO7R3xEFysVPkoA6WjF-l5To",
"kty": "RSA",
"e": "AQAB",
"n": "1Yh9NPQdVKgDwEN8jtlXq-1RhfqhKZ9qQAQTPrmrEJRJvzoHqPPi8W5Jh8-_fGX6rEzmttWdcTGU-dJCEUlXvnC2YXypf4HyQ9o2iEWBfYNWeBum6ti0Vuttetpszc9uwcE4z9wJXz7ejMqunn_PvJLmp7m9Ccap9gHNgB1Kr0wMIzYIApsMdmvcKSwdMoxWGTWgMDlHtbO8ea3FPW4W0kZPyv-WvngoxD5YIvfxo5_3vAVRRLSY--gUQ0WJ6yg8aKcdwF-mqVJgVAPvP6_xubpmf0dGCwzv0nhOF6OjpDQKRYRbzg_uU7ZWnRwBg6SslzdNBTZlnn_qCDYzI4_xBQ",
"alg": "RS256",
"use": "sig"
}
]
}

But this gets an JWK invalid key error message when I request a token for AGS. I checked (and re-checked) the format and the values against JWT.IO, generated a JWKS from mkjwk.org and used that. And it just gets an error.

The only way I could get a token was to take the single key out of the keyset and paste it into the Public JWK field in the developer key. Which lead me to believe that Canvas is looking for a particular format of the JWKS. Can someone please show me what that format is supposed to be?

And also there is a bug in creating the Developer key for an LTI app. Once you enter a value for the Public JWK URL it can't be replace with a Public JWK value. You have to delete the Dev Key and start over.

jrpburgos · ‎05-04-2020

Does anyone have an example of a JWKS url that works with Canvas (when requesting an Auth Token)? I just want to compare with what we have and see if there is something missing or extra that is causing the "JWS signature invalid" error to be issued.

chuck_wight · ‎05-22-2020

Thanks for this question and workaround. I ran into the same issue. Did Canvas ever resolve the problem to accept a public_jwk_url?

kling1 · ‎07-22-2020

But this gets an JWK invalid key error message when I request a token for AGS. I checked (and re-checked) the format and the values against JWT.IO, generated a JWKS from mkjwk.org and used that. And it just gets an error.

Having the exact same issue where using "Public JWK URL" field leads to an error. I can copy one of the keys in the list directly into the "Public JWK" field and launching and everything works, but can't use the "Public JWK URL" field.

I was expecting the JWT Public URL from the IMS reference implementation to work (e.g. https://lti-ri.imsglobal.org/lti/tools/573/.well-known/jwks.json), but that also leads to an error, but it's fine if I copy and paste one of the keys.

And also there is a bug in creating the Developer key for an LTI app. Once you enter a value for the Public JWK URL it can't be replace with a Public JWK value. You have to delete the Dev Key and start over.

This is buggy for me too. I realized that I just have to make sure I clear the URL field, then I can change the dropdown to "Public JWK", fill in the JWK, and save. Not super elegant, but it works.

kling1 · ‎07-25-2020

I realized why my public jwk url wasn't working for me. It was because I was running it locally. Although the launch, oidc/login and oauth token urls can be on localhost, it seems that the public jwk url has to be accessible outside of your local environment. I don't know the specifics behind this at all, but this is what I found with a bit of trial and error.

theotherdy · ‎02-19-2021

Thank you! Just wanted to add a link here to this useful post about the requirement for a JWKS format for the public key (as opposed to PEM format) as could also cause problems with a pasted JWK.

TinaWong · ‎01-31-2023

I had exactly the same issue and just found out how to handle it.

In my case, the problem lies in the jwt format rather than jwk format. Regarding jwk format, the comments above are all correct.

If we paste one specific jwk object which contains only one "kid", then everything would be fine because there's no need to provide "kid" in the jwt header.

if we choose to put jwk url which contains a list of jwk object, then we need to make sure we put "kid" in the jwt header when signing data so that the verifier could identify which "kid" is the correct one to use.

Here is the reference.

1. JSON::JWK::Set key works only when your JWT header includes kid attributes.(https://github.com/nov/json-jwt/wiki/JWS)

2. how to add jwt header(example python-jose: jws.sign(claims, key, headers=headers, algorithm=algorithm) / headers = { "alg": "RS256",
"typ": "JWT", "kid":"put your kid here" }) **

I hope this answer helps 😄

You're signed out

JWKS Format

Community Help

View our top guides and resources: