Signing or Encoding JWT with Public JWKS URL

Signing or Encoding JWT with Public JWKS URL


I'm not sure if this falls outside of the scope of discussion of this forum, but I figured someone here might have dealt with a similar issue.

I'm working on a Canvas LTI 1.3 integration, including Deep Linking 2.0. I'm using Google as my OpenId Connect Provider, with their public JWKS here:

When sending the Deep Link payload from the tool back to the platform, I need to sign or encode it, but I'm not sure how to go about that with the public JWKS.

So far I've been working with the LTI Reference Implementation ( to follow as an example of what needs to be done, but when trying to recreate the setup with a JWKS similar to what I have with Canvas, I get a "Neither PUB key nor PRIV key:: nested asn1 error". I've searched around for causes for this error but I'm not sure any applies to what I'm trying to do, so I'm a bit lost at the moment.

The Reference Implementation, when using a JWKS, still requires that a public and/or private key is shared between the Tool and Provider, but I don't see any option like that in Canvas (just JWKS) so not sure how the Reference Implementation translates to Canvas.

Any ideas?