Community

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MatthewD
New Member

JWS signature invalid

Jump to solution

I am trying to use the Assignment and Grade Services in a tool and am stuck on retrieving an access token. I am following the instructions here to make a post request to /login/oauth2/token with a grant_type of client_credentials.

Here is the information contained in the body of the post request:

{'scope': 'https://purl.imsglobal.org/spec/lti-ags/lineitem https://purl.imsglobal.org/spec/lti-ags/result/read', 
'grant_type': 'client_credentials', 
'client_assertion': u'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMDAwMDAwMDAwMTUyOCIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC8iLCJqdGkiOiIxMjM0NTY3ODkwOTg3NjU0MzIxIiwiZXhwIjoxNTk4ODkyOTA4LjkyNjA0OSwiaWF0IjoxNTk4ODg5MzA4LjkyNjA0OSwiYXVkIjoiaHR0cHM6Ly93aWxleS5pbnN0cnVjdHVyZS5jb20vbG9naW4vb2F1dGgyL3Rva2VuIn0.NZOjZ-i-s7HvTiOL-wv50ptPIAiR10RyhaAksmLFqAEjPP0T1cO8TdDR0NXBkV5IupyLzW5Cm8AUgucz_LPyjbLwK48ZCbWqo6Z7_LabpQlzW4clqDh6V4DEBwl8pmRSsLrvNTCJHIQwiTbXFpRR0rGCtSQXAhNbvxh6GqL_HE1WJA2MaBLWtHdYKwMruHlSeEVIvCfb-g0Mw6XnmEodKkhAqO8c29LgZRmL80qSBImNrbLbWx7-DltV4Me-OeqUs_3hWUtzoTGTu2P7G8Wu6we-Hio45Qv9YIK-vcr6YYJO3JInxcUdF5b6cLrScEWQHyCn8c6fUUlMBjJPfiu6tQ', 
'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'}

Decoded JWT:

{
  "sub": "10000000001528",
  "iss": "http://localhost:5000/",
  "jti": "1234567890987654321",
  "exp": 1598892908.926049,
  "iat": 1598889308.926049,
  "aud": "https://wiley.instructure.com/login/oauth2/token"
}

Using the following public key, I can verify that the signature for the jwt in the client_assertion field is valid by entering it into jwt.io.

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr2kl1OwVx3D6UHFmnVoZ
++9hWqp+c6Fg1mLMLJOIRKIGzh/nzLtbTQm+8+ilY05hHke9P+VO3i2Okece/JkC
u9LbJWIIgi4sSPX0ZKgVmTt7rnSEYeg0hRqj1W2NDIyXf91c4jLQH0FbWSd70h50
3z1Q3AxcnUNkjuYP+5wsPhKoGT9Uk6I6aZUvDNlv+0Bm9/caqJDtYUASLZT/DlrE
M3dkTCsgdJxW45oCF5cwfNQHV8gAMH0u3+KGxPBnO9WfR4UEKh+JD7iY70b0y3vO
pMJFTWOZK1sZ7B0PppEId1zuxNT5arXMftSoJKnyoI6d3MgkRz2e2KO58AbbQK3p
oQIDAQAB
-----END PUBLIC KEY-----

The LTI tool is configured as follows:

key.png

config.png

In the Public JWK field I have the following:

{
    "e": "AQAB",
    "n": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr2kl1OwVx3D6UHFmnVoZ++9hWqp+c6Fg1mLMLJOIRKIGzh/nzLtbTQm+8+ilY05hHke9P+VO3i2Okece/JkCu9LbJWIIgi4sSPX0ZKgVmTt7rnSEYeg0hRqj1W2NDIyXf91c4jLQH0FbWSd70h503z1Q3AxcnUNkjuYP+5wsPhKoGT9Uk6I6aZUvDNlv+0Bm9/caqJDtYUASLZT/DlrEM3dkTCsgdJxW45oCF5cwfNQHV8gAMH0u3+KGxPBnO9WfR4UEKh+JD7iY70b0y3vOpMJFTWOZK1sZ7B0PppEId1zuxNT5arXMftSoJKnyoI6d3MgkRz2e2KO58AbbQK3poQIDAQAB",
    "alg": "RS256",
    "kid": "10000000001528",
    "kty": "RSA",
    "use": "sig"
}

And under LTI Advantage Services I have enabled all permissions.

I am stumped why this is not working. When I make the post request to https://<mydomain>/login/oauth2/token all I receive is this:

{"error":"invalid_request","error_description":"JWS signature invalid."}

 But the signature is valid.

Labels (2)
0 Kudos
18 Replies

It worked! What format did you use for the "n" field?

I merely converted the PEM format into JWKS format using PHP code.

0 Kudos

Awesome, thank you so much!

How can I get the n parameter? I don't understand wich is its origin

svickers2
Community Member

I use one of the JWT PHP libraries to handle the conversion.  For example, the public key you quoted translates into:

To convert this yourself you could try using the latest version of my saLTIre test tool for LTI at https://saltire.lti.app/platform.  Try this:

  1. Select "1.3.0" as the LTI version on the Security Model page.
  2. Paste your PEM key into the Public key field in the Tool Details section .
  3. Click on the Save button in the header.
  4. Click on the View as JSON button next to the Public key field.

Thank you, this helps me a lot. I'll test it and confirm you.

theotherdy
Community Member

In my case, this JWS signature invalid error was caused by the fact that Canvas requires a Public JWK URL to be truly public, which means that, for localhost development use, you will need to paste a Public JWK into the Public JWK field. Note that you also need to delete any URL entered into Public JWK URL as it appears to default to this, even if you select Public JWK.

The scopes in the original posting are incorrect as well; they need a "/scope/" element added to the path.

https://purl.imsglobal.org/spec/lti-ags/lineitem should be https://purl.imsglobal.org/spec/lti-ags/scope/lineitem