OAuth2 Access token endpoint returning "JWS signature invalid"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
---Problem---
Oauth endpoint post token service throwing 400 response with below mentioned error. I have used correct endpoint with parameters and used post method to call the URL https://<mydomain>/login/oauth2/token. My JWT data is valid as perjwt.io debugger when used public key to validate signature.
{"error":"invalid_request","error_description":"JWS signature invalid."}
--- Details ---
I am working on LTI 1.3 integration + Assignment grade services.
1. I have successfully installed the canvas instance by following this link https://github.com/instructure/canvas-lms/wiki/Production-Start
2. My LTI 1.3 application launched working fine.
3. But while using the Assignment Grade Services to post score, I am not getting access token instead I am getting the "JWS signature invalid" with 400 header status.
4. I have followed this link to make a post request to get the access token. token https://canvas.instructure.com/doc/api/file.oauth_endpoints.html#post-login-oauth2-token
Here is the information contained in the body of the post request:
{
"grant_type": "client_credentials",
"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"client_assertion": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNPaVdic1RwQzRlZEZvSkdqbGlGemdGUVFmZ0JIblBrTGJ1RWpYS2tiaG1VbllqRHNjYWdsaEllRU1RZUpWQnYifQ.eyJpc3MiOiJodHRwczovL3N0YWdpbmcubXlkb21haW4uY29tIiwic3ViIjoiMTAwMDAwMDAwMDAwMDEiLCJhdWQiOiJodHRwczovL2NhbnZhcy5teWRvbWFpbi5jb20vbG9naW4vb2F1dGgyL3Rva2VuIiwiaWF0IjoxNjIwNzk2OTQ4LCJleHAiOjE2MjA3OTcwMTMsImp0aSI6Imx0aS1zZXJ2aWNlLXRva2VuYmRmMzlkNTFmMDYxNmZhMWMzMGJkYTJmYTQ2YWU3NmFmZjI3YjFlMTU2YWZiNmVmYjU2MTBlMDU3ZWUwMWM3ZiJ9.bSELJ3HQSQJQpeh75x_OOfBAZIWrMprYD9bK7S6nA1NUi483Yxgk2MDT6ZYRP9-eI03HoQdr9aP2Wv121qm9SuMO0KLUZgQ01rO3GmfyZhOS9yat0AVJvOxiEyRNSJD9W4M4ZcHBPw8UJ_KnywGCKRKRiBBih2JLoquwmP9NomHNvKlW--9pUM3amGH1z9P940kJIqdcVulSTDw2VUBnsjd1J6ngkG4DKgi1BwDaldhhU0yPzkiAO-UJRJHoqrxkYnYfJ5Q_Y6SnvgsHKAMiRNnhHKcqQetWh_4mTYl0Qmh3h6B6EafjVdxIdcMiIyCJGz3cUn8_XigCu1qPXBvEwA",
"scope": "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly https://purl.imsglobal.org/spec/lti-ags/scope/score"
}
Decoded JWT:
Header:
{
"typ": "JWT",
"alg": "RS256",
"kid": "3OiWbsTpC4edFoJGjliFzgFQQfgBHnPkLbuEjXKkbhmUnYjDscaglhIeEMQeJVBv"
}
Payload:
{
"iss": "https://staging.mydomain.com",
"sub": "10000000000001",
"aud": "https://canvas.mydomain.com/login/oauth2/token",
"iat": 1620796948,
"exp": 1620797013,
"jti": "lti-service-tokenbdf39d51f0616fa1c30bda2fa46ae76aff27b1e156afb6efb5610e057ee01c7f"
}
I can verify the JWT data place inside the "client_assertion" field using my public key and as per JWT.io debugger my signature is valid.
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ljLtgYaAP3ByNWEt5WD
aL8BpOc+BvVljjigdLipFI5Mk1Ey9XdM7ywIL5r5zDMRLokGh3p/TinjufVd48D7
It0gtOQ8gLTQ+5Qsi+wcm2mSKRj/nz20S1bdbsozbg5JrIN2goo/o9DXgoe9+FL0
PenWrDjOYQP8cLc5b0LcYDP6t81NdmJBG63toOXUXhOTip3u7GjnK+Zi+9TSZm2T
v+U27aRY4ihJ0vqx7k2HvEIOPxZuVHLn8LGMUwErSPNvm7t/t0WkYtnPR+/yN/bA
4DRNR0dWPlns3KLyDAVpN+bZYCZDbHFI0zj6Lh+YhNSRA7KrY9C5zoPvd3QP5jq7
JQIDAQAB
-----END PUBLIC KEY-----
5. Inside the canvas platform, the LTI 1.3 tool configuration contains mentioned Public JWK data and I have enabled all permissions under LTI Advantage Services.
{
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"e": "AQAB",
"n": "6ljLtgYaAP3ByNWEt5WDaL8BpOc-BvVljjigdLipFI5Mk1Ey9XdM7ywIL5r5zDMRLokGh3p_TinjufVd48D7It0gtOQ8gLTQ-5Qsi-wcm2mSKRj_nz20S1bdbsozbg5JrIN2goo_o9DXgoe9-FL0PenWrDjOYQP8cLc5b0LcYDP6t81NdmJBG63toOXUXhOTip3u7GjnK-Zi-9TSZm2Tv-U27aRY4ihJ0vqx7k2HvEIOPxZuVHLn8LGMUwErSPNvm7t_t0WkYtnPR-_yN_bA4DRNR0dWPlns3KLyDAVpN-bZYCZDbHFI0zj6Lh-YhNSRA7KrY9C5zoPvd3QP5jq7JQ",
"kid": "3OiWbsTpC4edFoJGjliFzgFQQfgBHnPkLbuEjXKkbhmUnYjDscaglhIeEMQeJVBv"
}
I have read this discussion too https://community.canvaslms.com/t5/Developers-Group/JWS-signature-invalid/td-p/400323/page/2 but as per the suggested solution my public key is correct and have used the same kid while configuring the tool inside the platform.
I am totally stuck and no idea how to fix this please help me.
Solved! Go to Solution.
