Canvas and Tsugi JWKS keys

[Chris Filkins]

I've mentioned this in some other threads, but wanted to start a thread specific to this issue to see if anyone else has encountered something similar.

If I use the JWKS URL for my Tsugi instance when setting up the developer key in Canvas, I'm unable to use the names and roles provisioning service that is part of LTI 1.3.  It only works if I copy and paste in the most recent key.  Today, Tsugi must have rotated keys, and our integration failed because of the key.

I'm all ears on how to further troubleshoot this.  From what I can tell, Canvas is sending the kid in the jwt for the launch, but I haven't been able to peel back the layers in Tsugi enough to see if Tsugi is parsing the kid properly.  I'll keep digging as time permits, but hoping that someone else more familiar with that mechanism might be able to help point me in the right direction.

-Chris