Sharebar?

Resource Link Launch and Decoding JWT without Platform Public Key

Resource Link Launch and Decoding JWT without Platform Public Key

I'm working on a tool using the IMS reference implementation for the platform. When launching a LtiResourceLinkRequest created from deep linking, I see that only the id_token in included in the request. Without knowing at least the issuer, it's impossible to retreive the platform's public key to verify the the id_token. Of course I could decode this JWT and get the issuer, client_id, and deployment ID, and then use that information to verify the id_token. Is that an acceptable approach or am I doing something incorrect?

Re: Resource Link Launch and Decoding JWT without Platform Publi

That is exactly what the ceLTIc Project's open source LTI class library for PHP does (see https://github.com/celtic-project/LTI-PHP/). It extracts the platform ID, client ID and deployment ID from the JWT received. Of course, you could also use the state parameter to help identify the sender as this value is set by the tool.

HTH.

Thanks Svickers,

Thanks Svickers,

In this case the state isn't set since the platform doesn't make the OIDC login-initiations call first.