Alright, so let me explain the scenario. I'm looking to make legitimately configured student accounts available to authorized users without needing to provide login credentials for a whole new account or provide masquerade rights.
In and of itself, this isn't a difficult task:
There are two primary concerns to this solution:
$domain = 'canvas.instructure.com';
$credentials = array(
'user' => 'tstudent1',
'pass' => 'P@ssw0rd'
$ch = curl_init('https://' . $domain . '/login/canvas');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, urldecode(http_build_query(array(
'pseudonym_session' => array(
'unique_id' => $credentials['user'],
'password' => $credentials['pass'],
'remember_me' => 0
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$results = curl_exec($ch);
Note: The actual code is more complex to accommodate authentication, multiple sets of credentials, and determine which sets are available for use. However, this simplified code has the same issue.
If I point this cURL to a login system on one of my servers, it works, no problem. It submits the credentials to the same target as using a HTML form and when I access the actual site, it's logged me in with the designated credentials.
Does anyone have ideas on what I am missing?
Yes and no. We determined that the closest we could get was a combination of AJAX and PHP, but we dropped the project because we could not determine any way to keep the credentials from being sent to the client.
This was ultimately considered too great of a security risk, even if we could control and limit what level of access involved in the system. Do to this, we didn't complete any viably working code relating to this project.