Your Community is getting an upgrade!
Read about our partnership with Higher Logic and how we will build the next generation of the Instructure Community.
Found this content helpful? Log in or sign up to leave a like!
Can I know why canvas kid in jwk canvas return kid as date format? How actually the kid is define in that format. As we are having an error cannot found the keyid from canvas as it return the format of date.
This is return by canvas
"kid":"2018-05-18T22:33:20Z"}
As previouly in Moodle and Blackboard it return the kid as atring and we are able to launch our tool already.
As this is return in blackboard and moodle
"kid":"19rr770-6r66r-4467-bd70-8b4d1a51483c"
"kid": "f15g3774f6acc4740638e",
Anyone knows about this problem? Need some help!
The kid is a string, it just happens that Instructure (Canvas) put a date in that string. I'd guess they do this because they correctly do key rotation and using the date that the keypair was generated makes it easy to check that key rotation is happening and easy to also debug for humans.
There's some more detail about the kid parameter in the RFC: https://tools.ietf.org/html/rfc7517#section-4.5
Hi Matthew,
I have an issue where the key id is said not match or null. As what I know canvas should provide us with the keyid.
As previously in Blackboard and Moodle, the keyid/kid is actually from the platform itself.
Here is my jwk :
"{\"kty\": \"RSA\",\"n\": \"ksVjuRa4tNmRZ3u5GRhxyj_VcfwiCrj2NxP00uLhkGR2BLc4yeCzrJRN33yhrENyUa7p0I8InQQjunjit4U_6ZB5ynNyn_aMU4UwoVaUWs0u9-Z9A1g_QuiCcE_JtJe5b53uft88wdahGf_8yhhK81lT5uszm_-gFBYiwuixXTqgh8V9tawQ3Zmv4OwIzlGEpZDslwnPvdVsY7gkFZ_PTQzmFuurIZdiUHCYf8DJaIwXTQtumveo3s6HgHpCBNgJi290Yy8qlOwtPA6umhiWHTrDnTTZxbemCNy69quelW16esGdkhaztIlXlbQ9iV8DzfVk-bPR9opHdyaOWKh30Q\",\"e\": \"AQAB\",\"alg\": \"RS256\",\"use\": \"sig\",\"kid\": \"pyPsWbcU7n\"}"
and this is the jwk from the canvas. It only return the date and it said that the keyid is null.
Keyset:{"keys":[{"kty":"RSA","e":"AQAB","n":"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ","kid":"2018-05-18T22:33:20Z"}
Here is the line of my code
Could you outline what you are trying to do?
My guess is that you have got a JWT from an LTI 1.3 launch and are trying to verify it. Is `jwksUrl` set to https://canvas.instructure.com/api/lti/security/jwks
?
At the moment I see 3 keys (february/march/april).
Do you have an example JWT that you are trying to validate? What is the kid in the header on the JWT set to?
We are using LtiAdvantageTool. We are using self hosted from bitnami in AWs
JWK url is set to http://54.169.45.155/api/lti/security/jwks.
we only receive the kid from "http://54.169.45.155/api/lti/security/jwks." as a date format only
Can I know why jwksUrl` need to set to https://canvas.instructure.com/api/lti/security/jwks
?
Reads and validates a 'JSON Web Token' (JWT) encoded as a JWS or JWE in Compact Serialized Format. In that image comment shows what we want to validate.
Ah ok, I'd assumed you were using the hosted version of Canvas, not the self hosted version. Your jwksUrl sounds correct then.
When you are trying to validate a token what does it log as the JWT Header KID?
If you haven't already found it https://jwt.io is really handy for debugging JWT tokens.
Hi Matthew,
I already can match the key. its actually contains "" in the key. Its a bit different from our actual key.
And for the validation, we have an issue it said that the key must not be smaller than 1028 and it state that keysize is 512
As we compared in blackboard and moodle, the key is a bit long than the above key from Canvas. Below key is from dynamic_setting.yml file from Canvas
Canvas: \"n\":\"uX1MpfEMQCBUMcj0sBYI-iFaG5Nodp3C6OlN8uY60fa5zSBd83-iIL3n_qzZ8VCluuTLfB7rrV_tiX727XIEqQ\",\"kid\":\"2018-06-18T22:33:20Z\",\"d\":\"pYwR64x-LYFtA13iHIIeEvfPTws50ZutyGfpHN-kIZz3k-xVpun2Hgu0hVKZMxcZJ9DkG8UZPqD-zTDbCmCyLQ\",\"p\":\"6OQ2bi_oY5fE9KfQOcxkmNhxDnIKObKb6TVYqOOz2JM\",\"q\":\"y-UBef95njOrqMAxJH1QPds3ltYWr8QgGgccmcATH1M\",\"dp\":\"Ol_xkL7rZgNFt_lURRiJYpJmDDPjgkDVuafIeFTS4Ic\",\"dq\":\"RtzDY5wXr5TzrwWEztLCpYzfyAuF_PZj1cfs976apsM\",\"qi\":\"XA5wnwIrwe5MwXpaBijZsGhKJoypZProt47aVCtWtPE\"}"
As we notice from Canvas, it contains d: // q://. I just want to confirm is the key for canvas are the combination of d:, q:, .... state from the above? And if it is, how we can use it to validate the Canvas Key?
Moodle:
"n": "ttoxvW3fQ_upfXU9jvOoIxd7YedYSa-0QwU6k-2BT7THigvpoec_8cNsdNX-Hmfzc2N2KYUg2HboJcqTiKQ-nOJxMHUEEhoOrwWw6WcxloAuFHutJikTWuaSmEqIYNgMP0EkLQt
NvpgdzyEMJTOxzEZ0YchWkeZ3kK8dWAMx9hy71O11BWg4yX12KSHadcxY1qEUvX_XlfSOxRQFMiMvceySQ3GVV00NLuz3KCMVYt4jPPqHxWJ8ERUlEXlV4ceDS9JGj6lacEof3U_PJHPhA1rHnqqQYfNGWnBA2Jx43IdyyrtUeLCeFGNac3NzVYtRFK3eWIbFKGkqTH8SvSPWow",
Blackboard :
"n":"kA7Jc02pbLh7kOLrCE1-7aCPed2sD2_oj14ei0QzUp6A_RrkczvMpDDSwC1AWAzIKYX1dWRrQirublJ5yu1ULVmBt3DOtKeXI096TrH2TBfvzZNwMnWbm1GA2B5FMF2f7WxthqwbqvsgyKgjvzVSRlMk8H087PjsIUiwr9vOxZ-mHGo3B62jhYszpot2Nee2-iqy5hvcecpsZ-_e6bzVhSOIHoh0GoQkndXRzwBMJrhs_W_LrVTFrgTmyt9sAUwj8z2YSjkRBkwZAuWiIo7PccPLaIYtWjEUF0zVQN-ei_Zr8qb6J79HfDakirx9WaCj-HcpVwKJWH4fetYPKSxQVQ"}]}
In dynamic_settings.yml is the full public/private keypair. You should now regenerate the key used in there as you've shared the private key so it shouldn't be considered secure any more.
The private key should never leave the service that is using it to sign JWTs and it's just the public key that should be shared.
I would imagine that if you are re-generating the keypair you should be able to increase the key size (but sorry I don't know how to do the regeneration).
More details about private keys: https://tools.ietf.org/id/draft-jones-jose-json-private-and-symmetric-key-00.html
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign InTo interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign In