cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cpoole2256
Community Participant

OAuth Dance for Offline Game without Redirect URL

Hello Canvas Developers!

My team is producing an offline education game using the Unity game engine and we want to include Canvas functionality. Unity allows us to export a WebGL version of the game as an HTML page which we plan on having schools download and place in the course folders. Once there, the HTML page will automatically open and allow playing of the game in the browser without any server on our part. One problem: I noticed when researching the OAuth dance, you need a redirect URL which is where the user is send after they authenticate but its also where Canvas sends a code needed to finish the authentication. Because we're storing our game inside Canvas itself and we want to do this without any servers on my team's side, we were wondering how we should go about completing this part of the dance. Does that first GET command simply retrieve the code for our app anyway?

(We can't test it right this moment because our Canvas instance isn't set up but I'm just conducting research to make sure what we want to do can be done)

Thanks for the help!

-Christopher Poole###

0 Kudos
5 Replies
pklove
Community Champion

For applications without a web sever ("native apps" in the Canvas doc), you can use urn:ietf:wg:oauth:2.0:oob as the redirect_url.. The redirect then goes to a page on the Canvas server with a URL like:

   .../login/oauth2/auth?code=047f524c6b1d8bd6522670....

The user can then copy the code and insert it into your non-server application.  The application can then get the token.

The main issue is having clear instructions to the end user about getting the code from the URL and putting it into your application.  It would be nice if Canvas would put the code on the actual web page with some sort of instructions.

BTW, for testing its easy to fire up a slightly old, but adequate, AWS AMI, or more recent versions at Bitnami.

pklove
Community Champion

BTW, how will you application make the OAuth/API calls? Files are served off a different server (e.g., https://cluster41-files.instructure.com/...), so if its via the browser with JavaScript XMLHttpRequest then you will probably run into CORS issues.

cpoole2256
Community Participant

We'll be using Unity so the programming itself is done in C# and the HTTP calls are done using a library function provided by Unity itself. Unity can then export to WebGL. I would assume that the library function Unity provides would work with one of its standard export methods but I should definitely test that just to make sure. If it doesn't we can always export to a .exe and do it that way (I just wanted to do the WebGL export so it will play in the browser and not force students to download anything). Within the test environment Unity provides we've already successfully sent API GETs for manually generated access tokens. 

cpoole2256
Community Participant

Thanks for the reply! That really sucks that they've got to pull the code out of the URL... I can pretty easily provide instructions on how to get that code but can't they just provide a default redirect that displays the code on the page itself? You'd think that would be a pretty basic function...

pklove
Community Champion

It would be nice if it was built-in and if you could have instructions for both Authorise and Cancel.  These could be in the Key Settings.

Given we don't have this, its easy enough to put something on some server yourself (e.g., redirect_uri=https://canexa.netkno.nz/show_code), you just need to add the URL to the key's Redirect URIs.