I'm implementing an LTI tool.  It is working on two non-Canvas LTI platforms, but we are struggling for success with Canvas.

When we request a token in the test Instructure environment, we receive back an "unknown client" error.  The client value we are using is formatted as 30190000000000xxx (hiding the last three digits).

A few details about prepping the token request:

1. Set the "Iss" claim to the client id
2. Set the "sub" claim to the Canvas developer key (secret)
3. Set the "aud" claim to the .../login/oauth2/token
4. Set other claims Iat, Nbf, Exp, Jti
5. Create a JWT with the above content signed with our private key
6. Submit the token request
   1. client is is 30190000000000xxx
   2. grant_type is client_credentials
   3. a few standard LTI claims

This is all submitted via the Canvas UI.  I am logged in as an Admin, but "acting as a user" who is an instructor for the course that has a Module link to the tool.

The request is accepted by Canvas, but we get the "unknown client", 401 unauthorized, response.

Any ideas what might be causing this to fail?

The POST params look like below.  Remember we pass #1 to #4 above as the long SignedWithPrivateKey content shown below.

scope=https://purl.imsglobal.org/spec/lti-ags/scope/lineitem+https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly+https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly&grant_type=client_credentials&client_id=30190000000000xxx&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=ey...SignedWithPrivatKey