Community help

olav · ‎04-12-2021

Hi we are trying to set up our canvas site to provide jwt keys for a LTI 1.3 application. It works well with the example keys in dynamic_settings.example, but how to make our own set of keys?

I have made the keys using rails console (as pointed to in the example https://github.com/instructure/canvas-lms/blob/master/config/dynamic_settings.yml.example#L109) ) but there is no mentions of what to do with the private key. If we omit storing it, Canvas just answers with "Private key is needed" when the jwt are checked.

I have extracted the private one and put in the jwt in the dynamic_settings file using rails console, but there is no hint of where to put the private part.

olav · ‎04-13-2021

Found the problem. In the exaple file it says
"key.public_key.to_jwk(kid: Time.now.utc.iso8601).to_json"

it should be
"key.to_jwk(kid: Time.now.utc.iso8601).to_json"

Thanks for pointing me in the right direction!

View solution in original post

olav · ‎04-12-2021

This is the error;

"response_mode"=>"form_post", "response_type"=>"id_token",
"scope"=>"openid", "state"=>"state-605dcecca20612_55801496"}
 > request_id: bab679f6-3dde-45b9-aa99-9f750e3bbbfb
 > request_parameters: {}
 > response_code: 500
 > session_id: 63cc4c75ff41d22fcbd56e86f7279895
 > type:
 >         Private key is needed.
/opt/canvas-ruby/embedded/lib/ruby/gems/2.6.0/gems/json-jwt-1.13.0/lib/json/jws.rb:107:in `sign'
/opt/canvas-ruby/embedded/lib/ruby/gems/2.6.0/gems/json-jwt-1.13.0/lib/json/jws.rb:107:in
    `sign'
/opt/canvas-ruby/embedded/lib/ruby/gems/2.6.0/gems/json-jwt-1.13.0/lib/json/jws.rb:17:in
    `sign!'
/opt/canvas-ruby/embedded/lib/ruby/gems/2.6.0/gems/json-jwt-1.13.0/lib/json/jwt.rb:35:in
    `sign'
/var/www/canvas/gems/lti-advantage/lib/lti_advantage/messages/jwt_message.rb:70:in
    `create_jws'
/var/www/canvas/lib/lti/messages/jwt_message.rb:38:in
    `generate_id_token'
/var/www/canvas/app/controllers/lti/ims/authentication_controller.rb:136:in

svickers2 · ‎04-12-2021

I think that you will find that the entries in the lti-keys section of the dynamic_settings.yml file are actually private keys, not public ones. As I recall this is where your private keys should go.

olav · ‎04-13-2021

Thanks, it makes sense, but when we did that we got the "Private key is needed" error. Is there maybe a cache that should be invalidated or something. (we don't use Consul)

svickers2 · ‎04-13-2021

Also make sure you are configuring the key in the correct section of the dynamic_settings.yml file. The example file only includes a development section, but this is on;y used when running in development mode.

olav · ‎04-13-2021

Found the problem. In the exaple file it says
"key.public_key.to_jwk(kid: Time.now.utc.iso8601).to_json"

it should be
"key.to_jwk(kid: Time.now.utc.iso8601).to_json"

Thanks for pointing me in the right direction!

JWT keys for self hosted site

LTI

LTI 1.3

LTI Advantage

add `desc` or `asc` to a few api calls that are al...

Integrate a React App (Not Canvas) to be Canvas LM...

Donot have valid data to test certain APIs

Getting Canvas LTI Data

Prevent Faculty From Using "EX" grade in Gradebook

Is the ‘Enable self assessment’ field available in...

Canvas Rubrics API Criteria

api/v1/courses/sis_course_id:{id#}/sections - Not ...

add `desc` or `asc` to a few api calls that are al...

Integrate a React App (Not Canvas) to be Canvas LM...

You're signed out

JWT keys for self hosted site

Community help

View our top guides and resources: