Resource Link Launch and Decoding JWT without Platform Public Key

Forum:

Learning Tools Interoperability Public Forum

Resource Link Launch and Decoding JWT without Platform Public Key

Submitted by IMS_USER_LTI on Thu, 13-Aug-2020 18:21.

I'm working on a tool using the 1EdTech reference implementation for the platform. When launching a LtiResourceLinkRequest created from deep linking, I see that only the id_token in included in the request. Without knowing at least the issuer, it's impossible to retreive the platform's public key to verify the the id_token. Of course I could decode this JWT and get the issuer, client_id, and deployment ID, and then use that information to verify the id_token. Is that an acceptable approach or am I doing something incorrect?

Re: Resource Link Launch and Decoding JWT without Platform Publi

That is exactly what the ceLTIc Project's open source LTI class library for PHP does (see https://github.com/celtic-project/LTI-PHP/). It extracts the platform ID, client ID and deployment ID from the JWT received. Of course, you could also use the state parameter to help identify the sender as this value is set by the tool.

HTH.

Submitted by svickers on Fri, 2020-08-14 05:18

Thanks Svickers,

In this case the state isn't set since the platform doesn't make the OIDC login-initiations call first.

Submitted by IMS_USER_LTI on Mon, 2020-08-17 12:29

This page contains trademarks of the 1EdTech Consortium, including the 1EdTech logos, TrustEd Apps™, Learning Tools Interoperability (LTI)^®, LTI™,OneRoster^®, Caliper Analytics^®, Common Cartridge^®, Competencies and Academic Standards Exchange^® (CASE^®), Question and Test Interoperability^® (QTI^®), Accessible Portable Item Protocol^® (APIP^®), AccessForAll^®, BadgeConnect^®, and SensorAPI™.

For information on the 1EdTech trademark usage policy, see our trademark policy page.