Community Member

OAuth 2.0 Auth Tokens & User Experience


I am the founder of an EdTech startup called Homework Muffin. We help busy students avoid that chaotic feeling of disorganization in their semester by creating organizational tools so they can live balanced lives.

We're working on developing interaction with Canvas now. Our current process requires the user to enter their own authentication from Canvas and put that into our app so that we can receive assignment data. Is there any way to make that process either invisible or easy for the user, just like logging into a normal app?

Our second problem is that we encounter a CORS issue between our site and the Canvas instance. We have resolved this via a proxy, but scaling it to every school will become cumbersome. Any recommendations for how to resolve this better?


Labels (4)
0 Kudos
11 Replies
Community Contributor


When you say:

"Our current process requires the user to enter their own authentication from Canvas"

Do you mean you are asking the users to generate "New Access Token" from their profile settings page ( and paste that value into your app? If so as suggested by @dtod OAuth2 authentication can be used as an alternative. If you use a scope of 'scope=/auth/userinfo' then your users will get the option to remember the application and so not have to grant access each time they use your app.

If your App is being served from a website and rendered in a browser (as opposed to being a mobile app) then you will have to run a proxy to get around the CORS issue, however it should be possible to allow multiple institutions to use the same proxy by including enough information in the authentication sent to the proxy to work out which instance it should connect to for the proxied request. We've been doing this reasonably successfully.

If you are wanting your app to display inside the context of Canvas then you may want to look at LTI as well, however it sounds like you are trying to get information to students outside of Canvas.

All the best.


Hi @matthew_buckett and @dtod,

Thanks for your replies! 

Yes, our current flow asks the users to generate a token from their profile page. We'll look into the scope of 'scope=/auth/userinfo' for OAuth2, thanks! 

Could you offer clarification on what this line means in the documentation?

If your application will be used by others, you will need to implement the full OAuth2 token request workflow, so that you can request an access token for each user of your application.

Performing the OAuth2 token request flow requires an application client ID and client secret. To obtain these application credentials, you will need to register your application. The client secret should never be shared.

For Canvas Cloud (hosted by Instructure), developer keys are issued by the admin of the institution.

Does this mean we need to contact each school individually to have them authorize the app?

Yes, we are building a web app. We worked out the issue by using a proxy. We might have to create a new one for each new school we serve. But if I understand correctly, you're saying that we should be able to use the same proxy and tell it which instance to connect to dynamically whenever a new school is added, is that correct?

0 Kudos

Asking users to manually generate a token is not a good way of handling this and I would expect Instructure and institutions to advise students not to do this, that is why in their documentation they state: 

"If your application will be used by others, you will need to implement the full OAuth2 token request workflow, so that you can request an access token for each user of your application."

To allows an OAuth login you will need to get a developer key working in each institution, Instructure do have developer keys that are configured for all institutions, but they still need to be enabled for each institution. These developer keys that are preconfigured are called "Inherited" developer keys.

Yep, having a proxy that can connect to multiple URLs is fine, part of this depends on how you are handling the authentication and where you are storing the tokens that you use to access Canvas.


0 Kudos
Community Contributor

More precisely it's a violation of the Canvas TOS to ask users to manually generate a token, although I've seen even big vendors do that.

For testing your application before you've implemented OAuth, the simplest option is to generate an access token on your user's profile page. Note that asking any other user to manually generate a token and enter it into your application is a violation of Canvas' terms of service. Applications in use by multiple users MUST use OAuth to obtain tokens.

0 Kudos
Community Member

This is quite a bummer. We were hoping to scale fast, and now it sounds like we'll have to reach out to each individual institution to enable our service instead of the individual students who would benefit from it across several institutions.

I want to make sure I don't violate any TOS! Could you send me a link to the TOS and the section this is covered under?

How can we get started with inherited keys? It would make it much easier for those institutions which I do get in contact with.


0 Kudos
Community Contributor

I have no idea, but that's what the API docs say. More specifically, I would just grab an LTI 1.3 library and plug that in to your app. Getting assignment data is part of LTI 1.3 (I believe).

If you need access otherwise via the API, OAuth is a much better user experience than asking someone to generate a key, but you may also be looking at an API developer key.

You should probably expect institutions to want to review tools for compliance reasons. We require a HECVAT for any integration we approve.

Thanks @dtod!

What would the difference be between getting a developer key for OAuth2 and utilizing LTI 1.3? From what I can tell, both require a Canvas administrator to set it up before it will work.
That's a great head's up for HECVAT! Thank you! Do y'all work with HECVAT Lite, or do I need to fill out HECVAT full? As I mentioned, we're a startup, so we don't have many resources to spare. But if this enables us to easily scale, it may be worth it.
0 Kudos
Community Contributor

The developer key for oauth has full access to the API unless it uses Scope Enforcement -

My organization typically uses the Full HECVAT (depending on the information involved), but I get the impression from vendors and institutions are okay with the Lite. I always tell people that with some googling they can find other vendors' HECVATs and since many people have similar infrastructure and practices, those provide a good model.

0 Kudos


I would recommend working with the Partnership team. This way you can ensure your product is in compliance. They also offer LTI Advisory Support Services.

Thanks! I reached out to the team today.
0 Kudos