Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question about JWKS endpoint in multi tenant application #88

Open
martinzugnoni opened this issue Jul 14, 2022 · 1 comment
Open

Question about JWKS endpoint in multi tenant application #88

martinzugnoni opened this issue Jul 14, 2022 · 1 comment
Labels
question Further information is requested

Comments

@martinzugnoni
Copy link

Hello team,

I have a conceptual question I'd like to double check with you.

We are doing a multi tenant app (multiple accounts creating their own LTI integrations) and each tenant will have its own Tool config and key objects in Django database.

I'm using this code for the /jwks endpoint:

def get_jwks(request):
    tool_conf = DjangoDbToolConf()
    return JsonResponse(tool_conf.get_jwks(), safe=False)

When I call the endpoint I get the whole list of public keys, for all tenants in the system.

{
  keys: [
    {"e": ..., "kid": ..., "kty": ..., "n": ..., "alg": ..., "use": ...},
    {"e": ..., "kid": ..., "kty": ..., "n": ..., "alg": ..., "use": ...},
  ]
}

It seems odd to me that any account can access any other tenant's public keys, as well as the total amount of accounts integrated in the system. Am I wrong? I know those are public keys, but I'd rather share them only to the necessary accounts when they need.

Question is: Is it possible to filter those keys based on the LTI login/launch request and only return the set of keys belonging to the account doing the request?

Thank you in advance.
@hmoffatt
Copy link
Contributor

Question is: Is it possible to filter those keys based on the LTI login/launch request and only return the set of keys belonging to the account doing the request?

The keys are fetched before login (unless I'm mistaken), so there's no way to know which tenant is making the request, except by encoding the tenant ID into the URL. That is what O365 does for example (keys are at https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys), and I think also Blackboard (https://developer.blackboard.com/api/v1/management/applications/<client_id>/jwks.json).

If all the keys are in the same keyset then I don't think there is any benefit to having one per tenant anyway - the other end can choose any key it likes.

If you look at the jwks published on hosted Canvas (https://canvas.instructure.com/api/lti/security/jwks) you see just 3 keys - it appears they are doing monthly key rollover. Same for D2L (https://partners.brightspace.com/d2l/.well-known/jwks) - except all their keys seem to expire in minutes.

@dmitry-viskov dmitry-viskov added the question Further information is requested label Sep 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@martinzugnoni @dmitry-viskov @hmoffatt