When developing LTI 1.3 tools a common thing is to need to validate the JWT that is returned at the end of the LTI launch. Existing libraries often assume that the server generating the JWT supports the full OpenID specification and will attempt to load the URL 'https://canvas.instructure.com/.well-known/openid-configuration' by concatenating the issuer with the string '/.well-known/openid-configuration'. This returns a 404 on Canvas.

To make configuration easier and more libraries able to be easily used with Canvas it would be helpful if Canvas supported some of the OpenID Connect Discovery specification: https://openid.net/specs/openid-connect-discovery-1_0.html If nothing else it would be helpful if in the OpenID configuration returned the location of the JWKs file to validate tokens against. So if it just contained:

{
    "issuer": "https://canvas.instructure.com/",
    "authorization_endpoint": https://canvas.instructure.com/api/lti/authorize_redirect",
    "jwks_uri": "https://canvas.instructure.com/api/lti/security/jwks"
}

As a second thing having the LTI JWKs URL also be available at: https://canvas.instructure.com/.well-known/jwks.json would align with what libraries commonly expect.

admin