LTI 1.3 authenticator. Shouldn't it have a JWKS endpoint or provide a public key?

Hi everyone,

I have setup a JupyterHub server with the LTI Authenticator, version 1.3.

I can consume it without further issue from Moodle but when trying to configure it in order to be consumed by a different custom platform it does not work due to the lack of a JWKS endpoint in the Jupyter Hub side of things.

Some discussions on this forum suggest that the JWKS endpoint is not required in the Jupyter Hub side of things and in fact Moodle does not require it.

But all the searches I make in the topic of stablishing the connection between the Platform and the Tool in LTI insist on both parties having to provide a public key or a JWKS endpoint.

So is Jupyter Hub Authenticator using a non standard compliant LTI implementation ? Is it using and alternative flow that does not require this Keyset ? Is moodle just working around the lack of such key ?

I’m quite confused.

Some expert clarification about this would be much appreciated.

I don’t use LTI, but reading some docs, it appears that JWKs are required on Tools for only a subset of actions, e.g. sending messages to LTI or deep linking or requesting access tokens. LTIAuthenticator doesn’t do any of those things, it only accepts and verifies launch requests, so the only message direction is LMS->JupyterHub, not LTIAuthenticator->LMS, which would require JWKs on the LTIAuthenticator.

If some providers require JWKs to be set up even if unused, that could be added to LTIAuthenticator without too much difficulty (a new Handler would be added for the JWKs endpoint, it could generate any random key pair on startup).