Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Member

JWS signature invalid

Jump to solution

I am trying to use the Assignment and Grade Services in a tool and am stuck on retrieving an access token. I am following the instructions here to make a post request to /login/oauth2/token with a grant_type of client_credentials.

Here is the information contained in the body of the post request:

{'scope': '', 
'grant_type': 'client_credentials', 
'client_assertion': u'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMDAwMDAwMDAwMTUyOCIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC8iLCJqdGkiOiIxMjM0NTY3ODkwOTg3NjU0MzIxIiwiZXhwIjoxNTk4ODkyOTA4LjkyNjA0OSwiaWF0IjoxNTk4ODg5MzA4LjkyNjA0OSwiYXVkIjoiaHR0cHM6Ly93aWxleS5pbnN0cnVjdHVyZS5jb20vbG9naW4vb2F1dGgyL3Rva2VuIn0.NZOjZ-i-s7HvTiOL-wv50ptPIAiR10RyhaAksmLFqAEjPP0T1cO8TdDR0NXBkV5IupyLzW5Cm8AUgucz_LPyjbLwK48ZCbWqo6Z7_LabpQlzW4clqDh6V4DEBwl8pmRSsLrvNTCJHIQwiTbXFpRR0rGCtSQXAhNbvxh6GqL_HE1WJA2MaBLWtHdYKwMruHlSeEVIvCfb-g0Mw6XnmEodKkhAqO8c29LgZRmL80qSBImNrbLbWx7-DltV4Me-OeqUs_3hWUtzoTGTu2P7G8Wu6we-Hio45Qv9YIK-vcr6YYJO3JInxcUdF5b6cLrScEWQHyCn8c6fUUlMBjJPfiu6tQ', 
'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'}

Decoded JWT:

  "sub": "10000000001528",
  "iss": "http://localhost:5000/",
  "jti": "1234567890987654321",
  "exp": 1598892908.926049,
  "iat": 1598889308.926049,
  "aud": ""

Using the following public key, I can verify that the signature for the jwt in the client_assertion field is valid by entering it into

-----END PUBLIC KEY-----

The LTI tool is configured as follows:



In the Public JWK field I have the following:

    "e": "AQAB",
    "n": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr2kl1OwVx3D6UHFmnVoZ++9hWqp+c6Fg1mLMLJOIRKIGzh/nzLtbTQm+8+ilY05hHke9P+VO3i2Okece/JkCu9LbJWIIgi4sSPX0ZKgVmTt7rnSEYeg0hRqj1W2NDIyXf91c4jLQH0FbWSd70h503z1Q3AxcnUNkjuYP+5wsPhKoGT9Uk6I6aZUvDNlv+0Bm9/caqJDtYUASLZT/DlrEM3dkTCsgdJxW45oCF5cwfNQHV8gAMH0u3+KGxPBnO9WfR4UEKh+JD7iY70b0y3vOpMJFTWOZK1sZ7B0PppEId1zuxNT5arXMftSoJKnyoI6d3MgkRz2e2KO58AbbQK3poQIDAQAB",
    "alg": "RS256",
    "kid": "10000000001528",
    "kty": "RSA",
    "use": "sig"

And under LTI Advantage Services I have enabled all permissions.

I am stumped why this is not working. When I make the post request to https://<mydomain>/login/oauth2/token all I receive is this:

{"error":"invalid_request","error_description":"JWS signature invalid."}

 But the signature is valid.

Labels (2)
0 Kudos
18 Replies

It worked! What format did you use for the "n" field?

I merely converted the PEM format into JWKS format using PHP code.

0 Kudos

Awesome, thank you so much!

How can I get the n parameter? I don't understand wich is its origin

Community Member

I use one of the JWT PHP libraries to handle the conversion.  For example, the public key you quoted translates into:

To convert this yourself you could try using the latest version of my saLTIre test tool for LTI at  Try this:

  1. Select "1.3.0" as the LTI version on the Security Model page.
  2. Paste your PEM key into the Public key field in the Tool Details section .
  3. Click on the Save button in the header.
  4. Click on the View as JSON button next to the Public key field.

Thank you, this helps me a lot. I'll test it and confirm you.

Community Member

In my case, this JWS signature invalid error was caused by the fact that Canvas requires a Public JWK URL to be truly public, which means that, for localhost development use, you will need to paste a Public JWK into the Public JWK field. Note that you also need to delete any URL entered into Public JWK URL as it appears to default to this, even if you select Public JWK.

The scopes in the original posting are incorrect as well; they need a "/scope/" element added to the path. should be