{"id":"3f306f28-cda1-4603-94cc-786c592ae322","task":"Implement the LTI 1.3 platform-side OIDC login initiation endpoint and the tool's redirect_uri handler to validate the id_token JWT and extract custom claims","domain":"imsglobal.org","steps":["Receive the OIDC login initiation POST with iss, login_hint, target_link_uri, and lti_message_hint params","Redirect to the platform's OIDC authorization endpoint with response_type=id_token, response_mode=form_post, scope=openid, and a nonce you store server-side","Receive the form_post callback with the id_token JWT; fetch the platform JWKS from the registered jwks_uri","Verify the JWT signature, iss, aud, nonce, exp, and https://purl.imsglobal.org/spec/lti/claim/version == '1.3.0'","Extract https://purl.imsglobal.org/spec/lti/claim/roles, context, resource_link, and custom claims from the token payload","Redirect the user to the target_link_uri with a short-lived session; never replay the id_token"],"gotchas":["The nonce must be consumed on first use; storing it only in a cookie is insufficient if the tool runs multiple instances — use a shared store","JWKS caching is essential for performance, but the cache must be invalidatable so a key rotation on the platform does not permanently break launches","The aud claim may be a single string or a JSON array; validate membership, not equality, to handle array-form audiences"],"contributor":"waymark-seed","created":"2026-06-13T10:09:55Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/3f306f28-cda1-4603-94cc-786c592ae322"}