Signing or Encoding JWT with Public JWKS URL

Hi,

I'm not sure if this falls outside of the scope of discussion of this forum, but I figured someone here might have dealt with a similar issue.

I'm working on a Canvas LTI 1.3 integration, including Deep Linking 2.0. I'm using Google as my OpenId Connect Provider, with their public JWKS here: https://www.googleapis.com/oauth2/v3/certs.

When sending the Deep Link payload from the tool back to the platform, I need to sign or encode it, but I'm not sure how to go about that with the public JWKS.

So far I've been working with the LTI Reference Implementation (https://github.com/IMSGlobal/lti-reference-implementation) to follow as an example of what needs to be done, but when trying to recreate the setup with a JWKS similar to what I have with Canvas, I get a "Neither PUB key nor PRIV key:: nested asn1 error". I've searched around for causes for this error but I'm not sure any applies to what I'm trying to do, so I'm a bit lost at the moment.

The Reference Implementation, when using a JWKS, still requires that a public and/or private key is shared between the Tool and Provider, but I don't see any option like that in Canvas (just JWKS) so not sure how the Reference Implementation translates to Canvas.

Any ideas?

Thanks