cancel
Showing results for 
Search instead for 
Did you mean: 
jrpburgos
Surveyor

JWKS Format

I wanted to know what format should the output be from a Public JWKS Url (from a Tool provider) that is used in LTI 1.3?

This is what we are sending out in our public url

{
"keys": [
{
"kid": "PKOegFlbTOO7tlr2UQpcO7R3xEFysVPkoA6WjF-l5To",
"kty": "RSA",
"e": "AQAB",
"n": "1Yh9NPQdVKgDwEN8jtlXq-1RhfqhKZ9qQAQTPrmrEJRJvzoHqPPi8W5Jh8-_fGX6rEzmttWdcTGU-dJCEUlXvnC2YXypf4HyQ9o2iEWBfYNWeBum6ti0Vuttetpszc9uwcE4z9wJXz7ejMqunn_PvJLmp7m9Ccap9gHNgB1Kr0wMIzYIApsMdmvcKSwdMoxWGTWgMDlHtbO8ea3FPW4W0kZPyv-WvngoxD5YIvfxo5_3vAVRRLSY--gUQ0WJ6yg8aKcdwF-mqVJgVAPvP6_xubpmf0dGCwzv0nhOF6OjpDQKRYRbzg_uU7ZWnRwBg6SslzdNBTZlnn_qCDYzI4_xBQ",
"alg": "RS256",
"use": "sig"
}
]
}

But this gets an JWK invalid key error message when I request a token for AGS. I checked (and re-checked) the format and the values against JWT.IO, generated a JWKS from mkjwk.org and used that. And it just gets an error.

The only way I could get a token was to take the single key out of the keyset and paste it into the Public JWK field in the developer key. Which lead me to believe that Canvas is looking for a particular format of the JWKS. Can someone please show me what that format is supposed to be?

And also there is a bug in creating the Developer key for an LTI app. Once you enter a value for the Public JWK URL it can't be replace with a Public JWK value. You have to delete the Dev Key and start over.

Tags (1)
0 Kudos
5 Replies
jrpburgos
Surveyor

Does anyone have an example of a JWKS url that works with Canvas (when requesting an Auth Token)?  I just want to compare with what we have and see if there is something missing or extra that is causing the "JWS signature invalid" error to be issued.

chuck_wight
Community Member

Thanks for this question and workaround. I ran into the same issue. Did Canvas ever resolve the problem to accept a public_jwk_url?

kling1
Surveyor

But this gets an JWK invalid key error message when I request a token for AGS. I checked (and re-checked) the format and the values against JWT.IO, generated a JWKS from mkjwk.org and used that. And it just gets an error.

Having the exact same issue where using "Public JWK URL" field leads to an error. I can copy one of the keys in the list directly into the "Public JWK" field and launching and everything works, but can't use the "Public JWK URL" field.

I was expecting the JWT Public URL from the IMS reference implementation to work (e.g. https://lti-ri.imsglobal.org/lti/tools/573/.well-known/jwks.json), but that also leads to an error, but it's fine if I copy and paste one of the keys. 

And also there is a bug in creating the Developer key for an LTI app. Once you enter a value for the Public JWK URL it can't be replace with a Public JWK value. You have to delete the Dev Key and start over.

 

This is buggy for me too. I realized that I just have to make sure I clear the URL field, then I can change the dropdown to "Public JWK", fill in the JWK, and save. Not super elegant, but it works. 

kling1
Surveyor

I realized why my public jwk url wasn't working for me. It was because I was running it locally. Although the launch, oidc/login and oauth token urls can be on localhost, it seems that the public jwk url has to be accessible outside of your local environment. I don't know the specifics behind this at all, but this is what I found with a bit of trial and error.

theotherdy
Learner II

Thank you! Just wanted to add a link here to this useful post about the requirement for a JWKS format for the public key (as opposed to PEM format) as could also cause problems with a pasted JWK.