Community Help

MatthewD · ‎08-31-2020

I am trying to use the Assignment and Grade Services in a tool and am stuck on retrieving an access token. I am following the instructions here to make a post request to /login/oauth2/token with a grant_type of client_credentials.

Here is the information contained in the body of the post request:

{'scope': 'https://purl.imsglobal.org/spec/lti-ags/lineitem https://purl.imsglobal.org/spec/lti-ags/result/read', 
'grant_type': 'client_credentials', 
'client_assertion': u'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMDAwMDAwMDAwMTUyOCIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC8iLCJqdGkiOiIxMjM0NTY3ODkwOTg3NjU0MzIxIiwiZXhwIjoxNTk4ODkyOTA4LjkyNjA0OSwiaWF0IjoxNTk4ODg5MzA4LjkyNjA0OSwiYXVkIjoiaHR0cHM6Ly93aWxleS5pbnN0cnVjdHVyZS5jb20vbG9naW4vb2F1dGgyL3Rva2VuIn0.NZOjZ-i-s7HvTiOL-wv50ptPIAiR10RyhaAksmLFqAEjPP0T1cO8TdDR0NXBkV5IupyLzW5Cm8AUgucz_LPyjbLwK48ZCbWqo6Z7_LabpQlzW4clqDh6V4DEBwl8pmRSsLrvNTCJHIQwiTbXFpRR0rGCtSQXAhNbvxh6GqL_HE1WJA2MaBLWtHdYKwMruHlSeEVIvCfb-g0Mw6XnmEodKkhAqO8c29LgZRmL80qSBImNrbLbWx7-DltV4Me-OeqUs_3hWUtzoTGTu2P7G8Wu6we-Hio45Qv9YIK-vcr6YYJO3JInxcUdF5b6cLrScEWQHyCn8c6fUUlMBjJPfiu6tQ', 
'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'}

Decoded JWT:

{
  "sub": "10000000001528",
  "iss": "http://localhost:5000/",
  "jti": "1234567890987654321",
  "exp": 1598892908.926049,
  "iat": 1598889308.926049,
  "aud": "https://wiley.instructure.com/login/oauth2/token"
}

Using the following public key, I can verify that the signature for the jwt in the client_assertion field is valid by entering it into jwt.io.

The LTI tool is configured as follows:

In the Public JWK field I have the following:

{
    "e": "AQAB",
    "n": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr2kl1OwVx3D6UHFmnVoZ++9hWqp+c6Fg1mLMLJOIRKIGzh/nzLtbTQm+8+ilY05hHke9P+VO3i2Okece/JkCu9LbJWIIgi4sSPX0ZKgVmTt7rnSEYeg0hRqj1W2NDIyXf91c4jLQH0FbWSd70h503z1Q3AxcnUNkjuYP+5wsPhKoGT9Uk6I6aZUvDNlv+0Bm9/caqJDtYUASLZT/DlrEM3dkTCsgdJxW45oCF5cwfNQHV8gAMH0u3+KGxPBnO9WfR4UEKh+JD7iY70b0y3vOpMJFTWOZK1sZ7B0PppEId1zuxNT5arXMftSoJKnyoI6d3MgkRz2e2KO58AbbQK3poQIDAQAB",
    "alg": "RS256",
    "kid": "10000000001528",
    "kty": "RSA",
    "use": "sig"
}

And under LTI Advantage Services I have enabled all permissions.

I am stumped why this is not working. When I make the post request to https://<mydomain>/login/oauth2/token all I receive is this:

{"error":"invalid_request","error_description":"JWS signature invalid."}

But the signature is valid.

svickers2 · ‎08-31-2020

I merely converted the PEM format into JWKS format using PHP code.

View solution in original post

michael1 · ‎01-26-2023

I also had this error, but my LTI was working through D2L and Blackboard. Turns out if you're using a "Public JWK URL", Canvas expects the URL result's content-type header to be "application/json".

View solution in original post

svickers2 · ‎08-31-2020

It seems an unlikely coincidence that your kid and sub values are the same. Have you checked the kid value in the header of the JWT you're sending?

MatthewD · ‎08-31-2020

I read somewhere in the canvas documentation that the kid value just needed to be unique, so I set it to the sub value. I have tried setting it to a random value, but I still receive the same error.

svickers2 · ‎08-31-2020

You are right, the kid value can be anything. But have you tried including it in the header of the JWT?

MatthewD · ‎08-31-2020

I tried that and still get "JWS signature invalid"

svickers2 · ‎08-31-2020

Are you sure your public key is correct? The "n" element looks remarkably like it is a PEM format value.

MatthewD · ‎08-31-2020

Yes, I took the public key in PEM format and just stripped off "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----". I'm guessing that's not how to do it?

svickers2 · ‎08-31-2020

Given the PEM format public key you quoted, I make the JWKS format as being:

{
"kty": "RSA",
"n": "sH8_-uavYxkWoEXm0QHDrZbfWByo0pEQdpy-EEdiQU_LVxlS4Et-ArUVq28hf1PRgGxRGEMzVXddyUgrrYuPV_17okqZZshfJnjqUpcN5d-mkyIs3XO-DLqI2UIoNXtEP5zlWvJTkqzUUlXg9y3QIHM_-1j8G3KeJKxIhezuLIUMJLSfJv3CgKF6CHPCT0JLPbOEStDCzzqQwIulDhU3Ts6N4CPttOoG8w9FS0Z6fJjYWeeztAtstBggXw4_Hgq7_-TaxV8tct5rWighV50Z5SJA1xi7w4GlfvV4EpwixUfSOZzAN_RAzFoiq6MgBCl-rtb7mCAxuSfkD5xSoMe0rw",
"e": "AQAB",
"kid": "10000000001528",
"alg": "RS256",
"use": "sig"
}

MatthewD · ‎08-31-2020

Copied and pasted that into the Public JWK field in canvas, but I still get the same error

svickers2 · ‎08-31-2020

Sorry, I think I generated an incorrect JWKS entry; try this one:

{
    "kty": "RSA",
    "n": "r2kl1OwVx3D6UHFmnVoZ--9hWqp-c6Fg1mLMLJOIRKIGzh_nzLtbTQm-8-ilY05hHke9P-VO3i2Okece_JkCu9LbJWIIgi4sSPX0ZKgVmTt7rnSEYeg0hRqj1W2NDIyXf91c4jLQH0FbWSd70h503z1Q3AxcnUNkjuYP-5wsPhKoGT9Uk6I6aZUvDNlv-0Bm9_caqJDtYUASLZT_DlrEM3dkTCsgdJxW45oCF5cwfNQHV8gAMH0u3-KGxPBnO9WfR4UEKh-JD7iY70b0y3vOpMJFTWOZK1sZ7B0PppEId1zuxNT5arXMftSoJKnyoI6d3MgkRz2e2KO58AbbQK3poQ",
    "e": "AQAB",
    "kid": "10000000001528",
    "alg": "RS256",
    "use": "sig"
}

MatthewD · ‎08-31-2020

It worked! What format did you use for the "n" field?

svickers2 · ‎08-31-2020

I merely converted the PEM format into JWKS format using PHP code.

MatthewD · ‎08-31-2020

Awesome, thank you so much!

claudiateresita · ‎09-09-2020

How can I get the n parameter? I don't understand wich is its origin

MarkClaassen · ‎04-11-2022

The scopes in the original posting are incorrect as well; they need a "/scope/" element added to the path.

https://purl.imsglobal.org/spec/lti-ags/lineitem should be https://purl.imsglobal.org/spec/lti-ags/scope/lineitem

svickers2 · ‎09-10-2020

I use one of the JWT PHP libraries to handle the conversion. For example, the public key you quoted translates into:

{
    "kty": "RSA",
    "n": "r2kl1OwVx3D6UHFmnVoZ--9hWqp-c6Fg1mLMLJOIRKIGzh_nzLtbTQm-8-ilY05hHke9P-VO3i2Okece_JkCu9LbJWIIgi4sSPX0ZKgVmTt7rnSEYeg0hRqj1W2NDIyXf91c4jLQH0FbWSd70h503z1Q3AxcnUNkjuYP-5wsPhKoGT9Uk6I6aZUvDNlv-0Bm9_caqJDtYUASLZT_DlrEM3dkTCsgdJxW45oCF5cwfNQHV8gAMH0u3-KGxPBnO9WfR4UEKh-JD7iY70b0y3vOpMJFTWOZK1sZ7B0PppEId1zuxNT5arXMftSoJKnyoI6d3MgkRz2e2KO58AbbQK3poQ",
    "e": "AQAB",
    "alg": "RS256",
    "use": "sig"
}

svickers2 · ‎09-10-2020

To convert this yourself you could try using the latest version of my saLTIre test tool for LTI at https://saltire.lti.app/platform. Try this:

Select "1.3.0" as the LTI version on the Security Model page.
Paste your PEM key into the Public key field in the Tool Details section .
Click on the Save button in the header.
Click on the View as JSON button next to the Public key field.

claudiateresita · ‎09-10-2020

Thank you, this helps me a lot. I'll test it and confirm you.

theotherdy · ‎02-19-2021

In my case, this JWS signature invalid error was caused by the fact that Canvas requires a Public JWK URL to be truly public, which means that, for localhost development use, you will need to paste a Public JWK into the Public JWK field. Note that you also need to delete any URL entered into Public JWK URL as it appears to default to this, even if you select Public JWK.

l_osullivan · ‎01-19-2024

Thank you! I've spent a day tearing my hair out over this!

michael1 · ‎01-26-2023

I also had this error, but my LTI was working through D2L and Blackboard. Turns out if you're using a "Public JWK URL", Canvas expects the URL result's content-type header to be "application/json".

Adeel-Raza · ‎08-06-2023

@michael1 Thank you for the hint. Missing this one line on the Public JWK URL response cost me 3-4 days of frustration and debugging.

header('Content-Type: application/json');

JWS signature invalid

LTI

OAuth2

New Analytics from API -- getting student weekly p...

Link checker for all active courses

GitHub issues

Is there a way to get the resource link id in LtiD...

admin icon not displaying

New Analytics from API -- getting student weekly p...

Search Canvas API pageviews listing

Link checker for all active courses

Seeking Canvas App Developer

GitHub issues

You're signed out

JWS signature invalid

Community Help

View our top guides and resources: