[ARCHIVED] Do I need to create a LTI to access student data as that student going through oAuth?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Referring to this section in the OAuth guide:
Getting OAuth2 Client ID/Secret
If your application will be used by others, you will need to implement the full OAuth2 token request workflow, so that you can request an access token for each user of your application.
Performing the OAuth2 token request flow requires an application client ID and client secret. To obtain these application credentials, you will need to register your application. The client secret should never be shared.
I've developed a front-end to Canvas and I want to access the APIs masquerading as each student using OAuth. Do I need to create a LTI to get a 'client key' and ' client secret' for OAuth or can I get those another way?
Thanks,
Michael
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OAuth is not to be used in your scenario. OAuth's client secret is tied to each user who requests to access Canvas and should not be shared.
OAuth flow is purely used to generate an access token for a user to access Canvas API from your application. You can't generate access token of a user using OAuth because only that specific user (using their own login credential to authenticate) can generate the token through OAuth
If you need to perform an action on behalf of a user, you have to use masquerading. However, if you want your student/user to perform API requests from your application then yes, use OAuth.
LTI is to be used if you want to embed your application into Canvas.
In regard to throttling, it depends on the number of concurrent requests and the type of request. An insight from @James:
As for reaching the API limit -- yes, I have reached that. I started using the Bottleneck JS library to keep from doing so. My intragroup peer reviews had that issue, the resetting of missing or late status also hit the threshold. My access report script should probably use it, but I'm not sure if I added it there or not, yet. My script that downloads all of the essentials each night for our early alert system uses it heavily. Because I parallelize all the requests that I can (something that cannot be done as easily with GraphQL), I had to go through and set different timings for different types of requests. The key is the number of concurrent requests and the minimum time between requests. I may allow 30 concurrent requests, but make sure there is 50ms between them so I don't hit the x-rate-limit-remaining threshold. It varies widely depending on the API call (enrollments are really expensive). That initial limit of 700 is even worse on Canvas Studio. Studio starts at 70 and anything above 1 call per second will eventually trigger it. Unfortunately, the Bottleneck library doesn't allow you to dynamically change the timings once the items are in the queue so I cannot react to the remaining amount, only set it before I make the calls. (https://community.canvaslms.com/t5/Idea-Conversations/Allow-Global-Account-setting-for-quot-Treat-Un...)
This discussion post is outdated and has been archived. Please use the Community question forums and official documentation for the most current and accurate information.