LTI 1.3 tools must generate their own keys and JWKS URL
When we started supporting LTI 1.3/Advantage (back in May of 2019) we chose to generate public/private key pairs for the tools. The tool vendor was then responsible for copying and storing those values on their side.
But the IMS Global community has moved away from that model and now suggests that tool vendors generate their own key pairs for LTI authentication and provide their public key via a JWKS URL. This model is more secure because there is not copying of a private key and allows the LTI Tool provider to follow best practices with key rotation.
We decided to follow that suggestion. If you want to register a new tool with Learn, you have to provide the JWKS URL information. And if you have an existing tool that use the Anthology-generated private key, please keep in mind that we’ll be terminating support in the near future.
NOTE: Once you’ve made the change, you must have our mutual clients redeploy your LTI 1.3 tool. Redeploy means the following:
- Admin -> Integrations, LTI Tool Providers -> Register LTI 1.3/Advantage Tool
- Enter the same client ID for your tool that was previously deployed. Click the [Submit] Button.
- Your tool will be redeployed to use your new JWKS URL.
Follow the above steps exactly. Do NOT have them delete the integration as that will destroy all existing links to your tool, which can not be recovered.
Here is a video explanation of both the steps you need to take to update your tool’s JWKS URL and the step you will need to have our mutual clients take. Note that after you update your tool’s JWKS URL on the developer portal our mutual clients will NOT able to use your product until after they redeploy as described above and in the video.
- Is this just a background change, and it will not impact anything on the front end?
-> There is no impact to how our mutual clients use the LTI Tool or Learn.
- Does making the change at the central location serve the purpose, or are we required to plan anything around individual connections for separate schools?
-> You will need to work with the individual schools to ensure that after you make the chage they redploy your tool as described above.
- Will schools transition seamlessly once we transition from a static public key to keyset URL (JWKS), or does it require any intervention from the Black side or the school admins?
-> The school admins will need to redeploy your tool as described above.
- Currently, both static public key and keyset URL (JWKS) are going through successfully. Is it because Anthology hasn’t yet discontinued supporting the static public key?
-> Anthology will continue supporting the keys that were originally provided until further notice, likely until the end of 2022*.
As always, if you have any questions, check out the contact us page and let us know!
*Statements regarding our product development initiatives, including new products and future product upgrades, updates or enhancements represent our current intentions, but may be modified, delayed or abandoned without prior notice and there is no assurance that such offering, upgrades, updates or functionality will become available unless and until they have been made generally available to our customers.