When I have experimented with Canvas APIs I have used access tokens that I create from my account. Seemed like a reasonable way to get going with tests. However when I consider moving the API code to production (for things like monitoring and reporting) I will need to set up automated processes that can authenticate for API access. I am asking the community what is considered the best-practice for API access authN/authZ when building automated processes.
I am considering setting up a functional user (with permissions and account scope set according to need) and creating an access token from that user. Alternatively, I am planning on creating a developer key from the scoped functional user account. Wanted to know if there are any recommendations on specifics. I like the look of the new scoped developer keys, however it is not clear if I can scope a developer key to only have access a particular sub-account (without using a a sub-account scoped function user.)
Again thanks for any advice.
I think much of my question may be touched on in this article/ discussion:
Will read that carefully; looks good. But I think much of my question may really be focused around more pedestrian issues about the procedural aspects of creating the tokens/ keys. One think I have noticed is that is a bit harder to create access tokens or keys from a functional user now. Seems like there is a new security feature that disallows key/token creation by masquerading.
All API work is done as some user, so for an automated process that isn't driven by human interaction, it makes sense to create a user with just the permissions needed for your API access. You'd need a developer key if you were planning to jump through the OAuth hoops, but even then you'd still need some particular user to authenticate as. Creating an authentication token lets you skip the developer key, if you aren't doing anything with human interaction. As you noted, you do have to really log in as the API user to create the authentication token, but that's easier than coding the OAuth process.
Paul :: Yeah, I have just arrived at a conclusion that echoes your advice. I am a little disappointed that Dev Keys do not fit into the machine to machine communication story. I finally worked through the OAuth flow documented here: OAuth2 - Canvas LMS REST API Documentation, to convince myself that it is not a good fit for the automated processes I am trying to facilitate (needing to click through a browser/user orientated authorization step is pretty much a deal killer). It is worth noting that there is an OAuth2 Grant Type and Flow that does seem to be applicable to automated process communication [Note reference below]. However this grant/flow does not seem to be implemented on Canvas; I tried but was rejected when I tried to pass
grant_type with the value
I should emphasize that from an application admin perspective, Dev Keys with the new scoping feature really does seem like the best way to manage access controls for the kinds of automated processes many folks at our institution want to implement. I have set-up functional accounts, created special Account Admins with selected permissions, etc, and it really is a pain when compared to creating Dev Keys with scoping control. Oh well - glad to have an answer even if it is not the answer I wanted.
A Guide To OAuth 2.0 Grants - Alex Bilbie - look for the the section which describes the Client Credentials Grant.
also check out the OAuth 2.0 RFC
Paul :: By the way, I may have missed a key point in my first read of your response: "All API work is done as some user, so for an automated process that isn't driven by human interaction, it makes sense to create a user with just the permissions needed for your API access" -- I understand that now. My main misunderstanding was a belief that Dev Keys were a short-cut around the functional user creation, auth token creation, and management (at the cost of the OAuth2 overhead). As an aside (and as someone really quite new to OAuth2), I can see that there are some nice security aspects that machine to machine processes could benefit from even at the cost of the implementation overhead. One of the main reasons I was trying to make an automated process work with OAuth2.
I'm trying to wrap my head around Developer Keys. Right now my understanding is that the developer key is simply to uniquely identify an application which is authorized to act on behalf of users. After a user authorizes the application, then the application is acting as that user with the same permissions of that user, unless we restrict the scopes of the application in which case it will have a subset of the permissions of that user.
Is that right?
I'm working with a vendor which wants to do some quite extensive admin-type things that an authorizing user would not be able to do (e.g. a faculty member could not search all courses in an account), but my reading implies that I have to create a user for that vendor, grant it enough permissions, and then create a developer key for their application. They then have their user authorize the application and go from there (or shortcut it by creating a token just for their special user).
What I want to do is be able to restrict the permissions for their admin-type user with the kind of fine-granted control that scopes give me, but if I'm right, then the only way I could do that is if that user was the only user of the developer key (which may be the case).
The developer key is what Canvas uses to 'trust' an LTI application for Oauth process in order to create user access tokens on behalf of the user that eventually uses their Canvas login for plausible API usage within Canvas once the Oauth process has finished. It is completely separate from the access token itself. I haven't developed an LTI in the past, but it became more apparent and understandable to me once our institution adopted UDOIT.
Yes, I think you have understood it all correctly.
You cannot apply scopes to a manually generated token, it gets all the permissions of the user.
So you need to create a scoped developer key and give the vendor the key and a user they can log in with so they can go through the OAuth process to get their token.
Or, I guess you could go through the OAuth process yourself and give the vendor the access and refresh tokens.
Just be careful not to mix LTI up with the API and API OAuth process.
While an LTI might use the API and OAuth to get a token, the need for this depends on the LTI.
And you can have applications that use the OAuth process to get an API token that are not LTI tools.