Community Help

glparker · ‎06-01-2021

I've setting up a hello world LTI 1.3 ,and I've got it working to the point that I'm getting back what appears to be a valid

id_token

I can take this id_token, and paste it into https://jwt.io/ and I can see expected results.

What I can't figure out is what jwt.io is doing to decode/decrypt this id-token. The docs say
https://canvas.instructure.com/doc/api/file.lti_dev_key_config.html

The request will include an id_token which is a signed JWT containing the LTI payload (user identifiers, course contextual data, custom data, etc.). Tools must validate the request is actually coming from Canvas using Canvas' public JWKs.

But the linked docs don't say "How" to perform this verification.

What is the workflow for decoding and validating the id_token once we've gotten it?

svickers2 · ‎06-01-2021

The JWT passed in the id_token parameter will have been signed by Canvas using its private key. As a tool you need to verify the signature using the public key which can be fetched from an endpoint such as https://canvas.instructure.com/api/lti/security/jwks (different endpoints are used for the test and development environments). A JWT library for your language of choice would normally include a method for doing this; otherwise check the documentation for JWTs for details. Once you have verified the signature of the JWT you can rely on the authenticity of its contents to process the request received.

LTI 1.3 : What to do with the id_token in Step 4

reCAPTCHA for Self-hosted Canvas

Web Fonts being part of a custom theme?

Custom css json Dashboard

How to enable Upload/Recording Media option to tak...

outh2 flow token generation

reCAPTCHA for Self-hosted Canvas

Web Fonts being part of a custom theme?

Custom css json Dashboard

Setting Assignment unlock date for a specific Sect...

Current graded by

You're signed out

LTI 1.3 : What to do with the id_token in Step 4

Community Help

View our top guides and resources: