cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jmelson
Community Member

Enforcing scope on developer key breaks OAuth flow?

Jump to solution

I have an app that uses the OAuth2 flow described here to authorize a user and receive an access token that is then used to make API calls. When I first wrote the app, I didn't select the "Enforce Scopes" option when creating the developer key it uses. But since the app only needs access to a couple of API endpoints, I thought it would be a good idea to restrict the key so that only those specific endpoints would be available to the authorizing user.

After making turning on the "Enforce Scopes" option and selecting the endpoints I need, the app now fails to get past the first step in the OAuth2 flow:

GET https://<canvas-instance-url>/login/oauth2/auth?client_id=XXXX&response_type=code&redirect_uri=<my-r...;

This should just give me the initial code that can be exchanged for an access token, then redirect back to the specified URI. Instead, it gives me this error:

{
   "error":"invalid_scope",
   "error_description":"A requested scope is invalid, unknown, malformed, or
      exceeds the scope granted by the resource owner."
}

Turning off the "Enforce Scopes" option on the developer key results in everything working normally again. None of my application code changed, so the only thing that could be causing the error is the scoping.

Am I just misunderstanding how scoping is supposed to work, or is there something I need to change about how I've implemented the OAuth2 flow in my app if I wish to use a developer key with scoping enabled?

1 Solution

Accepted Solutions
pklove
Community Champion

When using scopes, you need to specify the scopes you want from amongst the ones that have been allowed at the Canvas end.

You do this by adding a scope parameter to the first call.  In the docs, this is on the OAuth2 Endpoints - Canvas LMS REST API Documentation page.  It would be good if the Overview page was updated to mention this.

It would also be nice if there was an option, or default, to have all allowed scopes, but it does not work like this.

View solution in original post

7 Replies
pklove
Community Champion

When using scopes, you need to specify the scopes you want from amongst the ones that have been allowed at the Canvas end.

You do this by adding a scope parameter to the first call.  In the docs, this is on the OAuth2 Endpoints - Canvas LMS REST API Documentation page.  It would be good if the Overview page was updated to mention this.

It would also be nice if there was an option, or default, to have all allowed scopes, but it does not work like this.

View solution in original post

jmelson
Community Member

Doh! Including the scope parameter in the initial request does the trick.

I overlooked that addition to the endpoint documentation (I agree, it would be great if the overview page were updated to reflect this), so thank you very much for pointing me in the right direction.

mahmoud_mostafa
Community Participant

Hello John, 

I tried to follow OAuth2 Endpoints - Canvas LMS REST API Documentation adding scope to my request but I am still getting this error

GET /token?error=invalid_scope&error_description=A+requested+scope+is+invalid%2C+unknown%2C+malformed%2C+or+exceeds+the+scope+granted+by+the+resource+owner.+The+following+scopes+were+requested%2C+but+not+granted%3A+https%3A%2F%2Fpurl.imsglobal.org%2Fspec%2Flti-ags%2Flineitem+and+https%3A%2F%2Fpurl.imsglobal.org%2Fspec%2Flti-ags%2Fresult%2Fread

I am running Canvas as self hosted on my local machine, when i tried to enable scoping for the developer key that i have following this documentations How do I enable scoping for a developer key in an account? 

I could not find Enforce Scopes field, it seems the local version is different than the one is mentioned there. 

I can see that i can add a scope only to API key not the LTI key, I am not sure if I get it right or not !

Can anyone explain how can i get over this error please ? 

Thanks 

Our LTI utilizes many API endpoints and if we pass scope parameters for all of them in a request then character counts exceeds 2000, causing our nginx server to reject the request.

Is there any other option to pass multiple scope parameters other than in Get request.

Can you not increase your nginx header limit size?

http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers

Canvas should work up to 8000 characters, but suggests if you are having problems you request multiple tokens from the user and have different scopes on each token. This documented on the Developer Keys page.

If i want to request second token with remaining scopes, Do i have to make another request to authorization url with those remaining scopes.

Did you find any solution to this problem? I ran Bitnami version of Canvas through AWS and am having the same issue as you. I can't modify scopes in this version during LTI Developer Key setup.