Community Help

RipunjayShuklaM · ‎08-22-2024

I have developed an LTI 1.3 integration that is working successfully, including the Names & Roles service and Grade Passback. It works correctly with a Public Key or JWK value, but it is not working with my Public JWK URL (KeySet URL). My JWK URL is https://mbx-staging.getmagicbox.com/api/mag/lti/v1_3/keyset/690/jwks. Could you please help me identify the issue?

The response value is:

{
  "keys": [
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "4VVX",
      "alg": "RS256",
      "n": "ALt-j9QLyFJujrUU4XaL--twnv-RZ3mrfzDX71Q_FB7IodKQ5WjKNP3S-GgBgR2fcRL5iO-Kw62K1Mt130DzOGFf_Crt3Q9b5igoiNO7gxNDKPUmAmdT9aV6nFSMgTPthzWn-GpiSZK-7bPTl-frAsraX-w-NkNzTbLhEuelVMYtOd-Xndkz-EWEIoAUZ-2O1FFjCc5gr0vrPn4wzDB-xTiRcqeWr_lyDOs_2UzZ7RoBmkB1o83DZidEb8aEFjMR3m7-J-szaIAePeJSqcZOkFK_ah3OEtnwd_8sihJFYJMzsh4VlADv8rZPydeI0hIVKiFiNqkjptbze9jhVsfVYb0="
    }
  ]
}

matthew_buckett · ‎08-23-2024

Some things I've run into in the past with JWK URLs:

The content-type header on your JWK URL, you have `application/json` which is known to work. Some RFCs state that `application/jwk-set+json` should also work but there have been reports of this being broken in the past (I'm not sure if it's fixed now).
That you are adding a `kid` claim when creating your signed JWT. I think that when you upload a single JWK to Canvas it doesn't require you to set a `kid` claim in your JWT, but as soon as you switch to a JWK set (which can contain multiple JWKs) it refuses to verify the JWT unless it has a matching `kid` claim. I think this is the most likely problem.
That the developer key values are correctly updating when saving. There used to be a bug where some JWK values didn't save correctly and if you still had a JWK URL set when you pasted in a JWK key it would continue to use the URL. This was really confusing when I was testing things, but the "fix" used to be to clear out the URL before switching the dropdown. I don't think this is the issue you're seeing but might not be helping with debugging.
That the URL is accessible to Canvas.

What error are you getting back from Canvas?

View solution in original post

matthew_buckett · ‎08-23-2024

Some things I've run into in the past with JWK URLs:

The content-type header on your JWK URL, you have `application/json` which is known to work. Some RFCs state that `application/jwk-set+json` should also work but there have been reports of this being broken in the past (I'm not sure if it's fixed now).
That you are adding a `kid` claim when creating your signed JWT. I think that when you upload a single JWK to Canvas it doesn't require you to set a `kid` claim in your JWT, but as soon as you switch to a JWK set (which can contain multiple JWKs) it refuses to verify the JWT unless it has a matching `kid` claim. I think this is the most likely problem.
That the developer key values are correctly updating when saving. There used to be a bug where some JWK values didn't save correctly and if you still had a JWK URL set when you pasted in a JWK key it would continue to use the URL. This was really confusing when I was testing things, but the "fix" used to be to clear out the URL before switching the dropdown. I don't think this is the issue you're seeing but might not be helping with debugging.
That the URL is accessible to Canvas.

What error are you getting back from Canvas?

RipunjayShuklaM · ‎08-23-2024

Thanks for the support, Yes the issue was related to kid.

My Publick JWK URL is not working

All Users

New Analytics from API -- getting student weekly p...

Link checker for all active courses

GitHub issues

Is there a way to get the resource link id in LtiD...

admin icon not displaying

New Analytics from API -- getting student weekly p...

Search Canvas API pageviews listing

Link checker for all active courses

Seeking Canvas App Developer

GitHub issues

You're signed out

My Publick JWK URL is not working

Community Help

View our top guides and resources: