Community Help

RipunjayShuklaM

I have developed an LTI 1.3 integration that is working successfully, including the Names & Roles service and Grade Passback. It works correctly with a Public Key or JWK value, but it is not working with my Public JWK URL (KeySet URL). My JWK URL is https://mbx-staging.getmagicbox.com/api/mag/lti/v1_3/keyset/690/jwks. Could you please help me identify the issue?

The response value is:

{
  "keys": [
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "4VVX",
      "alg": "RS256",
      "n": "ALt-j9QLyFJujrUU4XaL--twnv-RZ3mrfzDX71Q_FB7IodKQ5WjKNP3S-GgBgR2fcRL5iO-Kw62K1Mt130DzOGFf_Crt3Q9b5igoiNO7gxNDKPUmAmdT9aV6nFSMgTPthzWn-GpiSZK-7bPTl-frAsraX-w-NkNzTbLhEuelVMYtOd-Xndkz-EWEIoAUZ-2O1FFjCc5gr0vrPn4wzDB-xTiRcqeWr_lyDOs_2UzZ7RoBmkB1o83DZidEb8aEFjMR3m7-J-szaIAePeJSqcZOkFK_ah3OEtnwd_8sihJFYJMzsh4VlADv8rZPydeI0hIVKiFiNqkjptbze9jhVsfVYb0="
    }
  ]
}

matthew_buckett

Some things I've run into in the past with JWK URLs:

The content-type header on your JWK URL, you have `application/json` which is known to work. Some RFCs state that `application/jwk-set+json` should also work but there have been reports of this being broken in the past (I'm not sure if it's fixed now).
That you are adding a `kid` claim when creating your signed JWT. I think that when you upload a single JWK to Canvas it doesn't require you to set a `kid` claim in your JWT, but as soon as you switch to a JWK set (which can contain multiple JWKs) it refuses to verify the JWT unless it has a matching `kid` claim. I think this is the most likely problem.
That the developer key values are correctly updating when saving. There used to be a bug where some JWK values didn't save correctly and if you still had a JWK URL set when you pasted in a JWK key it would continue to use the URL. This was really confusing when I was testing things, but the "fix" used to be to clear out the URL before switching the dropdown. I don't think this is the issue you're seeing but might not be helping with debugging.
That the URL is accessible to Canvas.

What error are you getting back from Canvas?

View solution in original post

matthew_buckett

Some things I've run into in the past with JWK URLs:

The content-type header on your JWK URL, you have `application/json` which is known to work. Some RFCs state that `application/jwk-set+json` should also work but there have been reports of this being broken in the past (I'm not sure if it's fixed now).
That you are adding a `kid` claim when creating your signed JWT. I think that when you upload a single JWK to Canvas it doesn't require you to set a `kid` claim in your JWT, but as soon as you switch to a JWK set (which can contain multiple JWKs) it refuses to verify the JWT unless it has a matching `kid` claim. I think this is the most likely problem.
That the developer key values are correctly updating when saving. There used to be a bug where some JWK values didn't save correctly and if you still had a JWK URL set when you pasted in a JWK key it would continue to use the URL. This was really confusing when I was testing things, but the "fix" used to be to clear out the URL before switching the dropdown. I don't think this is the issue you're seeing but might not be helping with debugging.
That the URL is accessible to Canvas.

What error are you getting back from Canvas?

RipunjayShuklaM

Thanks for the support, Yes the issue was related to kid.

My Publick JWK URL is not working

All Users

Need guide for ui app

"Requested ResourceLink has an unexpected content ...

Duplicate attachment id's when filename is not uni...

Outcomes Mastery Report Formula

Is it possible to intercept the assignment submiss...

Canvas API 404 error when getting users from a gro...

New Quizzes API Problem

Need guide for ui app

How to make a resource embedded to a page through ...

My Publick JWK URL is not working

You're signed out

My Publick JWK URL is not working

Community Help

View our top guides and resources: