LTI 1.3 Access Token 400 error

Luke.W.626
Luke.W.626 Posts: 3 🌱
in Development
I've been doing some testing with our LTI 1.3 Tool using Brightspace as a platform and have been running into a 400 error when attempting to get an access token.

The error message returned is "Client is not authorized to set a \u0027nonce\u0027 claim".

I do see that we are including a nonce claim in our JWT that we pass to endpoint, but am unsure why this is not allowed by Brightspace as I don't see anything in the spec that disallows it https://www.imsglobal.org/spec/security/v1p0/#using-json-web-tokens-with-oauth-2-0-client-credentials-grant

Things do work as expected if I remove the nonce.

Thanks for your help!
· Share on Twitter

Answers

  • Steve.H.432
    Steve.H.432 Posts: 12 🌱
    edited August 2023

    Could you please provide a link to your JWT using https://jwt.io

    Are you currently including the nonce claim in the header? If that's the case, consider removing it from the header and placing it in the payload instead. I've faced a similar situation when moving the kid claim, where it needed to be in the header, not the payload. I've successfully included the nonce claim in the payload without encountering any problems.

    I hope this helps!

    · Share on Twitter
  • Luke.W.626
    Luke.W.626 Posts: 3 🌱

    Hi @Steve.H.432 Thanks for the response! Do you happen to know what version of Brightspace you are on? We're on 20.23.8.16033 and relatively recently started having this problem. Things worked as expected on previous versions, so it seems like something recently changed in Brightspace that's causing this.

    · Share on Twitter
  • Steve.H.432
    Steve.H.432 Posts: 12 🌱
    edited August 2023

    Hey Luke,

    Our instance is on 20.23.8.16812.

    · Share on Twitter

Categories