cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cpoole2256
Community Participant

Do different school instances block use of access tokens to view content?

As part of a Gamification initiative, my team and I are working to create an stand-alone game which uses the Canvas API's GET requests to retrieve information on the student player and their courses. We're currently using manually created access tokens for testing but plan to learn OAuth later. Ideally, this game would work with any school's instance of Canvas (we plan on having a text field where you can type the base URL of your school's Canvas instance which is then used elsewhere for the GET calls). This means we wouldn't want to go through each individual school our players use and ask each one for permissions and instead just have a general solution that would allow the player to login and have it work with any instance of Canvas. Is this possible? We've already used our stand-alone program to gain information on our school's instance using my own access token, but is this a feature that some school's disable for security risks? Also when we move on to using OAuth will we still be able to generate a token for any school using only the URL of that school's instance and the login of a student from that school?

Thanks for the help!

0 Kudos
1 Reply
ColinMurtaugh
Community Champion

Hi Christopher --

Your project sounds interesting! The way that the OAuth integration works is that a top-level administrator for each Canvas instance would need to generate a key for your application; external tools can't initiate the OAuth workflow without that. It's for good reason, too -- this essentially grants your tool full API access to act on behalf of your users, so from the administrator's point of view it's critical to properly vet the vendor.  Since the data that you'd have access to is so sensitive (including FERPA-protected data), many institutions will require that you undergo an information security review and have a contract in place before allowing this kind of access. 

Hope this is helpful!

--Colin