Enforcing scope on developer key breaks OAuth flow?

Jump to solution
jmelson
Community Novice

I have an app that uses the OAuth2 flow described here to authorize a user and receive an access token that is then used to make API calls. When I first wrote the app, I didn't select the "Enforce Scopes" option when creating the developer key it uses. But since the app only needs access to a couple of API endpoints, I thought it would be a good idea to restrict the key so that only those specific endpoints would be available to the authorizing user.

After making turning on the "Enforce Scopes" option and selecting the endpoints I need, the app now fails to get past the first step in the OAuth2 flow:

GET https://<canvas-instance-url>/login/oauth2/auth?client_id=XXXX&response_type=code&redirect_uri=<my-r...;

This should just give me the initial code that can be exchanged for an access token, then redirect back to the specified URI. Instead, it gives me this error:

{
   "error":"invalid_scope",
   "error_description":"A requested scope is invalid, unknown, malformed, or
      exceeds the scope granted by the resource owner."
}

Turning off the "Enforce Scopes" option on the developer key results in everything working normally again. None of my application code changed, so the only thing that could be causing the error is the scoping.

Am I just misunderstanding how scoping is supposed to work, or is there something I need to change about how I've implemented the OAuth2 flow in my app if I wish to use a developer key with scoping enabled?

1 Solution
pklove
Community Champion

When using scopes, you need to specify the scopes you want from amongst the ones that have been allowed at the Canvas end.

You do this by adding a scope parameter to the first call.  In the docs, this is on the OAuth2 Endpoints - Canvas LMS REST API Documentation page.  It would be good if the Overview page was updated to mention this.

It would also be nice if there was an option, or default, to have all allowed scopes, but it does not work like this.

View solution in original post