CANVAS Rejects oidc token signed with a self signed certificate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I use an openid server as an identity provider.
This year we decided to move out token signing certificate to a self signed one.
When we did the swap on our test environment , the CANVAS LMS instance started rejecting the token.
this doc: https://canvas.instructure.com/doc/api/authentication_providers.html states the the canvas LMS uses openid .
The spec define a jwks uri that should contain the signing keys used to sign the token, so the relying party ( the CANVAS LMS on this instance) is able to validate the token signing properly.
Steps to reproduce:
- Configure the openid server to use a self signed certificate
- configure CANVAS LMS to use the identity provider created and configured in step 1
- try to login using the identity server configured in step 1
Expected behavior:
The CANVAS LMS should use the public key avaliable in jwks endpoint.
The jwks endpoint can be found in the discovery endpoint at /.well-known/openid-configuration
Actual behavior:
The CANVAS LMS Rejects the authentication token signed with the self signed certificate
Additional notes:
Here is this sequence of events that led me to the hypothesis that CANVAS LMS is not using the key provided in the jwks URL a thus is rejecting the token:
At first , I was using the SSL certificate to sign the tokens.
This certificate is a valid certificate ( publicly)
- Installed the self signed certificate to the Identity provider machine
- Installed the CA of the self signed certificate to the Identity provider machine
- Checked that the new self signed certificate is showing up in the jwks endpoint present in the discovery document.
When faced with the failed attempt to signin , rolled back the signing certificate for the https one.
CANVAS LMS accepts this token.
Also, found this issue from 2019.
#1435
In this issues last reply we have tha following: "Canvas does not currently validate JWTs, as they are not a required part of the OpenID Connect Core spec. We do validate TLS certificates, so it's assumed you're setting it up over TLS, and that you have a valid certificate."
if a understood the statement correctly , using a valid https certificate should be enough.
Thanks in advance.
