[Admin Tools] Support OpenID configuration URL

Status: Open Submitted by on ‎03-16-2023 03:50 AM
Problem statement:

When developing LTI 1.3 tools a common thing is to need to validate the JWT that is returned at the end of the LTI launch. Existing libraries often assume that the server generating the JWT supports the full OpenID specification and will attempt to load the URL 'https://canvas.instructure.com/.well-known/openid-configuration' by concatenating the issuer with the string '/.well-known/openid-configuration'. This returns a 404 on Canvas.

Proposed solution:

To make configuration easier and more libraries able to be easily used with Canvas it would be helpful if Canvas supported some of the OpenID Connect Discovery specification: https://openid.net/specs/openid-connect-discovery-1_0.html If nothing else it would be helpful if in the OpenID configuration returned the location of the JWKs file to validate tokens against. So if it just contained:

{
    "issuer": "https://canvas.instructure.com/",
    "authorization_endpoint": https://canvas.instructure.com/api/lti/authorize_redirect",
    "jwks_uri": "https://canvas.instructure.com/api/lti/security/jwks"
}

As a second thing having the LTI JWKs URL also be available at: https://canvas.instructure.com/.well-known/jwks.json would align with what libraries commonly expect.

User role(s):

admin

4 Comments
AlexisNast
Instructure
Instructure
‎03-24-2023 10:10 AM
Status changed to: Added to Theme

This has been added to a theme for further consideration.

nathanatkinson
Community Team
Community Team
‎11-06-2024 07:44 AM
Status changed to: New
 
nathanatkinson
Community Team
Community Team
‎11-06-2024 08:14 AM
Status changed to: New
 
nathanatkinson
Community Team
Community Team
‎11-06-2024 11:40 AM
Status changed to: Open