oauthjwtaccess-tokenlticanvas-lms

Canvas LMS LTI 1.3 JWS signature invalid 400 ERROR

Hope everyone is staying safe :) I actually have a problem in my LTI Integrations with our client's production env.

We implemented our platform in the client's dev side Canvas LMS and our dev Canvas instance. All those settings worked perfectly.

After installing the developer key on the production side, our platform says 401 ERROR.

I checked the logs and found that there was the 400 error while it aws trying to get the access token.

{ error: 'invalid_request',
error_description: 'JWS signature invalid.' } }

SO I double-checked my PEM files, JWK, JWK URLs and all of them are in the right form like our dev env.

Additionally, I checked JWT Signatures and they were also verified.

{ grant_type: 'client_credentials',
  client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
  client_assertion:'JWT Tokens',
  scope:
   'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly' }

The payload of the JWT Token

{
  "iat": 1631687585,
  "exp": 1631860385,
  "aud": "https://[canvas_url]/login/oauth2/token",
  "iss": "https://[canvas_url]",
  "sub": "developer_key",
  "jti": "jwt id -> random"
}

This is the data that we send to https://[canvas url]/login/oauth2/token

Please help me to resolve this issue. Thank you so much.

Solution

  • I'm not sure if I had the same problem, but when in development I was pasting the JWK into the Developer Key, however when we went to production we used a JWK URL and while we found that we were always getting an invalid signature back from Canvas when using the JWK URL, but when pasting a single key in everything worked.

    It turned out that when using a JWK URL you MUST specify the key ID (kid) in the JWT header so that Canvas knows which key to use from the JWK file. Even if there is only one key in the file you still need the kid. You didn't post the JWT header in your original question but it might be worth checking to see if you didn't include it.

    In the specs the kid is optional which is why I didn't originally include it when creating my JWT: https://www.rfc-editor.org/rfc/rfc7515#section-4.1.4