Issue with JWKS

[cesdperez]

Hi,

I have an LTI 1.3 tool that I'm connecting to different LMSes for launching a webpage and then reporting grades back.

On the LMS side, you can usually set up either a JWKS URL or a public key for the tool connection.
If I set up the public key in pem format everything works fine. If instead I set up a JWKS URL, I get 400 errors when reporting a grade back to the LMS (tested with Avendoo and https://saltire.lti.app/platform).

My code is based on the Django example, I'm using the GET /jwks URL.

A call to GET /jwks seems to return a valid response that I can even transform to pem:

{
    "keys": [
        {
            "e": "AQAB",
            "kid": "bIaXjCAdqjr8ffH57teL4mRDam4KZOqmi7XvQe0n79c",
            "kty": "RSA",
            "n": "xWHS1QVRrHMAT9vmn5hQJ2nCoZ11CQSEv6b6tlIupKbyxCBRbk6Te094RsPcPgCaTHBE2TJ_mdQCqgiW5QPJCzPA2TKgjOvS7K8p9IM74imFJe8FkRlAFRF0JObrHWDS5Jw8f43ko3UjMHclGfP59uDN6IpEd8JDnssZA3wmzombTH8zgBpruvoi7W90pSaOnOVPYDdKn-KM2qcEaHnrvu53I5O0SHlBpkmBeiO6uoE1jcuv-qY_z1rlS9Y-xUHa1zWPnW4YpjGhOzSGxzZT5sTHGHXJdNtM2AoxgB3DvgMCr9xJ8LCOLCtJYqcV3yQ1SGHjJ4-IxYGCX0is_U-JhQ",
            "alg": "RS256",
            "use": "sig"
        }
    ]
}

From the LMS side, I don't get many details on the error, just "invalid key".

Has anyone made this work or can point me to a way to get more details on the issue?

[hmoffatt]

Sorry this won't help much, but I've based my app on the Flask example and I've successfully reported grades to Canvas, Moodle, and Blackboard and I'm only ever using JWK URLs.

An invalid keys error from the LMS would refer to keys for the opposite direction - does the app have the LMS's key OK?

[cmurtaugh]

@hmoffatt are you able to share any details of how you configured your tool to work with Canvas? I'm running the Django sample app and it seems that all calls to LTI Advantage services are failing with a "401 user authorization required" error from Canvas.
I've added some logging and I can see that the requests to the service endpoints (/api/lti/courses/18003/names_and_roles and /api/lti/courses/<course_id>/line_items, for example) do include the Authorization header with a Bearer <token content> value. On the Canvas side, I've granted this tool access to all LTI Advantage scopes.
I feel like I'm missing a step in configuring my tool; I'm using the public.key and private.key files that came with the sample app, which seems wrong.
Any help would be appreciated!

[cesdperez]

Sorry this won't help much, but I've based my app on the Flask example and I've successfully reported grades to Canvas, Moodle, and Blackboard and I'm only ever using JWK URLs.

An invalid keys error from the LMS would refer to keys for the opposite direction - does the app have the LMS's key OK?

The app has the correct LMS keys setup because if I setup the public key (instead of jwks URL) on the LMS, it works.
Thanks for your reply anyway.

[cmurtaugh]

I actually found that my problem was related to a known issue with Instructure-hosted test and beta instances; in order for LTI Advantage services to work in those instances you need to enable student access to test and beta.

Instead I installed my sample tool in our Instructure-hosted production instance and it works fine there.

Some details in this thread.

[hmoffatt]

Aha. I'm testing with a self-hosted Canvas so I didn't see this issue. (I only have access to the free hosted Canvas, and it doesn't allow for site admin access and hence LTI 1.3 can't be used.)