Implement an LTI 1.3 tool launch (OIDC flow)

Verified steps

1. Register the tool with the platform (LMS): provide your tool's OIDC login initiation URL, target link URI, redirect URIs, and a public JWK endpoint; receive the platform's issuer, client_id, OIDC auth endpoint URL, and JWKS URL.
2. Handle the OIDC Login Initiation: the LMS POSTs to your oidc_initiation_url with parameters iss, login_hint, target_link_uri, and lti_message_hint; validate that iss and client_id match your registration, generate a nonce and state, store both in a short-lived cookie or session.
3. Redirect the browser to the platform's OIDC authorization endpoint with query parameters response_type=id_token, response_mode=form_post, scope=openid, client_id, redirect_uri, login_hint (echo back), nonce, state, and lti_message_hint (echo back).
4. Receive the platform's POST to your redirect_uri containing an id_token JWT; validate the state against your stored value to prevent CSRF, then verify the JWT signature using the platform's public keys fetched from its JWKS endpoint.
5. Validate the JWT claims: iss matches the registered platform issuer, aud contains your client_id, nonce matches your stored nonce, exp has not passed, and the claim https://purl.imsglobal.org/spec/lti/claim/message_type is LtiResourceLinkRequest.
6. Extract the LTI context, resource link, roles, and custom claims from the verified JWT payload and use them to provision or identify the user session in your tool.