Community help

yuling3086 · ‎04-27-2021

May I know what is KID?

How can we link this KID with our tools.

We do face issue where no matching key found.

After investigate we found out that the KID in LMS platform actually is different as what in our tools.

Anyone know how to solve this?

matthew_buckett · ‎04-27-2021

KID is just the identifier for a key. This is needed because often a service will have multiple keys listed in its JWKS file. This is so that old keys can still be valid when a new key is deployed (key rotation) and the KID allows a service to say which key was used to sign a JWT so that a consuming system doesn't have to try all valid keys. Canvas typically has 3 keys in it's JWKS files: https://canvas.instructure.com/api/lti/security/jwks

It is expected that a tool will have different KIDs in its JWKS file to Canvas. Canvas will use it's keys to send LTI messages to you and you can use it's JWKS file and the KID in the JWT to validate those messages are from Canvas. The reverse also applies, when you send a message back to Canvas it will use the JWKS for your tool to validate the JWT (using the KID to know which key to use).

Although as far as I'm aware at the moment Canvas doesn't support multiple keys being registered for a tool at once (you can only set one). This is why I think it's called JWK rather than JWKS in the LTI Developer Key configuration.

svickers2 · ‎04-27-2021

KID stands for Key ID and is an identifier for the key used to sign a JWT. It is passed in the JWT header and is used to lookup the relevant public key so the signature can be verified. If you are unable to obtain a public key with a matching KID value then you are unable to verify the signature and hence should reject the request.

yuling3086 · ‎04-27-2021

Can I say that the KID is define by the tools provider and pass it thru the JWT header to Canvas and validate it?

yuling3086 · ‎04-27-2021

I am using self hosted bitnami Canvas.

Do we need to define a private key in the dynamic_settings.yml file?

If yes is that means that the private key have to be pair with the public key in the tools?

JWKS KID is different between Canvas and tool

add `desc` or `asc` to a few api calls that are al...

Integrate a React App (Not Canvas) to be Canvas LM...

Donot have valid data to test certain APIs

Getting Canvas LTI Data

Prevent Faculty From Using "EX" grade in Gradebook

Is the ‘Enable self assessment’ field available in...

Canvas Rubrics API Criteria

api/v1/courses/sis_course_id:{id#}/sections - Not ...

add `desc` or `asc` to a few api calls that are al...

Integrate a React App (Not Canvas) to be Canvas LM...

You're signed out

JWKS KID is different between Canvas and tool

Community help

View our top guides and resources: