LTI 1.3 : What to do with the id_token in Step 4

glparker

I've setting up a hello world LTI 1.3 ,and I've got it working to the point that I'm getting back what appears to be a valid 

id_token

I can take this id_token, and paste it into https://jwt.io/ and I can see expected results.

What I can't figure out is what jwt.io is doing to decode/decrypt this id-token.   The docs say
https://canvas.instructure.com/doc/api/file.lti_dev_key_config.html

• The request will include an id_token which is a signed JWT containing the LTI payload (user identifiers, course contextual data, custom data, etc.). Tools must validate the request is actually coming from Canvas using Canvas' public JWKs.

But the linked docs don't say "How" to perform this verification.    

What is the workflow for decoding and validating the id_token once we've gotten it?

svickers2

The JWT passed in the id_token parameter will have been signed by Canvas using its private key.  As a tool you need to verify the signature using the public key which can be fetched from an endpoint such as <A href="https://canvas.instructure.com/api/lti/security/jwks" target="_blank" rel="nofollow noopener noreferrer">https://canvas.instructure.com/api/lti/security/jwks</A> (different endpoints are used for the test and development environments).  A JWT library for your language of choice would normally include a method for doing this; otherwise check the documentation for JWTs for details.  Once you have verified the signature of the JWT you can rely on the authenticity of its contents to process the request received.