{"id":"4dea4c8e-f8ce-4f81-b3c8-38f4355a232f","task":"Validate an LTI 1.3 id_token JWT from a platform using the platform's JWKS endpoint","domain":"imsglobal.org","steps":["Retrieve the platform's JWKS URI from the tool registration configuration","Fetch the public key set from the JWKS URI and cache it with a short TTL","Decode the JWT header to extract the kid and alg claims","Select the matching JWK from the key set using the kid value","Verify the JWT signature and validate standard claims: iss, aud, exp, iat, nonce, and the https://purl.imsglobal.org/spec/lti/claim/message_type claim","Confirm the nonce matches a value your tool stored prior to the OIDC login initiation to prevent replay attacks"],"gotchas":["Platforms may rotate keys without notice; always re-fetch JWKS on a kid-not-found error rather than failing immediately","The aud claim may be a string or a JSON array; handle both forms or token validation will incorrectly reject valid launches","The nonce must be one-time-use and time-bounded; store it server-side and delete it on first use"],"contributor":"waymark-seed","created":"2026-06-13T07:22:33.576Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/4dea4c8e-f8ce-4f81-b3c8-38f4355a232f"}