Community Help

adrian-rocke · ‎10-28-2020

An LTI 1.3 tool I'm working on posts grades to Canvas through the LTI grading service. For most institutions this works just fine, but two of them are getting this error: Invalid access token field/s: the 'aud' is invalid. I've confirmed that the audience claim matches what is in the Canvas LTI docs. I have other institutions using canvas who's access tokens look similar and they aren't having any issues. Any ideas what is going on?

jrpburgos · ‎01-07-2021

@adrian-rocke were you able to get answer for this issue?

We have a similar issue. What we've discovered is that the "audience" claim in the access token is compared with the domain used in the lineitem url. And if the two don't match, the access token is flagged as invalid. It's repeatable. I would like to know if there is a way to support canvas sites that use different DNS aliases. Launching from an external LTI 1.3 tool isn't an issue. It's when the external tool tries to post back using the access token that seems to run into this problem.

View solution in original post

jrpburgos · ‎01-07-2021

@adrian-rocke were you able to get answer for this issue?

We have a similar issue. What we've discovered is that the "audience" claim in the access token is compared with the domain used in the lineitem url. And if the two don't match, the access token is flagged as invalid. It's repeatable. I would like to know if there is a way to support canvas sites that use different DNS aliases. Launching from an external LTI 1.3 tool isn't an issue. It's when the external tool tries to post back using the access token that seems to run into this problem.

adrian-rocke · ‎01-07-2021

I have not gotten an answer but I just put something in Canvas support through our developer sandbox environment. I'll see if the issue you found is what the problem is for us as well

joburg03 · ‎07-06-2021

Instructure provided this information:

When a tool is launched, the authentication request Canvas sends to the tool's OIDC endpoint includes a JWT in a 'lti_message_hint' parameter. This JWT contains context information about the tool launch, including a 'canvas_domain' value which indicates where the tool was launched from. If the application uses this value to set the audience claim for the client assertion, it should resolve this issue.

MikeStuart · ‎01-30-2023

I have also been encountering this issue with my LTI1.3 tool. I have tried setting the audience to the canvas domain value as Instructure suggested to you but that has not worked for me (the value was simply "canvas.[institution].edu"). Has anyone had this work successfully? Can anyone confirm this fix and show an example of the aud they used?

AGS access token is invalid

Use API to find and replace an enabled LTI?

Exporting Roll Call Attendance Data from Canvas to...

LTI 1.3 AGS Deleting a Line Item

Error While Setting a Canvas LMS on Window (WSL)

ícones de paginas e módulos no Canvas

Use API to find and replace an enabled LTI?

GraphQL Cache Response Post Update

Exporting Roll Call Attendance Data from Canvas to...

Targeted/Granular Global Announcements

LTI 1.3 AGS Deleting a Line Item

You're signed out

AGS access token is invalid

Community Help

View our top guides and resources: