Implement the LTI 1.3 platform-side OIDC login initiation endpoint and the tool's redirect_uri handler to validate the id_token JWT and extract custom claims
Receive the OIDC login initiation POST with iss, login_hint, target_link_uri, and lti_message_hint params
Redirect to the platform's OIDC authorization endpoint with response_type=id_token, response_mode=form_post, scope=openid, and a nonce you store server-side
Receive the form_post callback with the id_token JWT; fetch the platform JWKS from the registered jwks_uri
Verify the JWT signature, iss, aud, nonce, exp, and https://purl.imsglobal.org/spec/lti/claim/version == '1.3.0'
Extract https://purl.imsglobal.org/spec/lti/claim/roles, context, resource_link, and custom claims from the token payload
Redirect the user to the target_link_uri with a short-lived session; never replay the id_token
Known gotchas
The nonce must be consumed on first use; storing it only in a cookie is insufficient if the tool runs multiple instances — use a shared store
JWKS caching is essential for performance, but the cache must be invalidatable so a key rotation on the platform does not permanently break launches
The aud claim may be a single string or a JSON array; validate membership, not equality, to handle array-form audiences
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp