Found this content helpful? Log in or sign up to leave a like!

CANVAS Rejects oidc token signed with a self signed certificate

lafayette_duart
Community Member
‎07-05-2023 11:23 AM

Hi,
I use an openid server as an identity provider.
This year we decided to move out token signing certificate to a self signed one.
When we did the swap on our test environment , the CANVAS LMS instance started rejecting the token.

this doc: https://canvas.instructure.com/doc/api/authentication_providers.html states the the canvas LMS uses openid .
The spec define a jwks uri that should contain the signing keys used to sign the token, so the relying party ( the CANVAS LMS on this instance) is able to validate the token signing properly.

Steps to reproduce:

  1. Configure the openid server to use a self signed certificate
  2. configure CANVAS LMS to use the identity provider created and configured in step 1
  3. try to login using the identity server configured in step 1

Expected behavior:

The CANVAS LMS should use the public key avaliable in jwks endpoint.
The jwks endpoint can be found in the discovery endpoint at /.well-known/openid-configuration

Actual behavior:

The CANVAS LMS Rejects the authentication token signed with the self signed certificate

Additional notes:

Here is this sequence of events that led me to the hypothesis that CANVAS LMS is not using the key provided in the jwks URL a thus is rejecting the token:
At first , I was using the SSL certificate to sign the tokens.
This certificate is a valid certificate ( publicly)

  1. Installed the self signed certificate to the Identity provider machine
  2. Installed the CA of the self signed certificate to the Identity provider machine
  3. Checked that the new self signed certificate is showing up in the jwks endpoint present in the discovery document.

When faced with the failed attempt to signin , rolled back the signing certificate for the https one.
CANVAS LMS accepts this token.

Also, found this issue from 2019.
#1435
In this issues last reply we have tha following: "Canvas does not currently validate JWTs, as they are not a required part of the OpenID Connect Core spec. We do validate TLS certificates, so it's assumed you're setting it up over TLS, and that you have a valid certificate."

if a understood the statement correctly , using a valid https certificate should be enough.
Thanks in advance.

Labels (1)
Labels
0 Likes