[Admin Tools] Support OpenID configuration URL

Problem statement:

When developing LTI 1.3 tools a common thing is to need to validate the JWT that is returned at the end of the LTI launch. Existing libraries often assume that the server generating the JWT supports the full OpenID specification and will attempt to load the URL 'https://canvas.instructure.com/.well-known/openid-configuration' by concatenating the issuer with the string '/.well-known/openid-configuration'. This returns a 404 on Canvas.

Proposed solution:

To make configuration easier and more libraries able to be easily used with Canvas it would be helpful if Canvas supported some of the OpenID Connect Discovery specification: https://openid.net/specs/openid-connect-discovery-1_0.html If nothing else it would be helpful if in the OpenID configuration returned the location of the JWKs file to validate tokens against. So if it just contained:

    "issuer": "https://canvas.instructure.com/",
    "authorization_endpoint": https://canvas.instructure.com/api/lti/authorize_redirect",
    "jwks_uri": "https://canvas.instructure.com/api/lti/security/jwks"

As a second thing having the LTI JWKs URL also be available at: https://canvas.instructure.com/.well-known/jwks.json would align with what libraries commonly expect.

User role(s):


1 Comment
Status changed to: Added to Theme

This has been added to a theme for further consideration.