Community Help

Jsinco · ‎11-08-2024

So for context I’m a student and I’m building an application which allows users to receive reminders and view their own course information. I don’t have access to any kind of admin account and for OAuth2 I need a client_id and client_secret which are can only be created by admins on Canvas. Additionally, from my understanding, the client_id and client_secret are institution specific which makes this even more unfeasible for me.

It really seems like the only way I could get my application to work the way I want is to use API keys, but doing so is inconvenient for the end user and also against Canvas’ API policy.

Anyone have any idea on what I should do?

Some related posts:

https://community.canvaslms.com/t5/Canvas-Developers-Group/Get-an-OAuth-client-ID-as-a-student/m-p/5...

https://community.canvaslms.com/t5/Canvas-Developers-Group/Asking-users-to-generate-an-access-token/...

chriscas · ‎11-08-2024

Hi @Jsinco,

If you're trying to make an app for people other than yourself to use, I do believe OAuth2 is the correct route to take if you need to use API calls as other users. As you outlined though, it's not really a flip of a switch to get that to work for all Canvas instances. You would need the admins of each institution (like myself) to create a developer key for their instance and provide it to you. On the school/institution side this will usually involve at least a security audit of your app and possibly some other agreements. This is because you could get access to a lot of data via the API, though sometimes scoping the key can help minimize the risk.

Instructure does have something called an "inherited key" where one key/secret would work for all Canvas instances what enable the particular key. That may simplify coding on your end, but you'd likely face the same review steps for that key to be enabled and I am pretty sure you'd have to pay to become an official Instructure partner to have that option.

Hope this helps a bit. Others may chime in with their opinions or perhaps some options I don't know about as well.

-Chris

View solution in original post

chriscas · ‎11-08-2024

Hi @Jsinco,

If you're trying to make an app for people other than yourself to use, I do believe OAuth2 is the correct route to take if you need to use API calls as other users. As you outlined though, it's not really a flip of a switch to get that to work for all Canvas instances. You would need the admins of each institution (like myself) to create a developer key for their instance and provide it to you. On the school/institution side this will usually involve at least a security audit of your app and possibly some other agreements. This is because you could get access to a lot of data via the API, though sometimes scoping the key can help minimize the risk.

Instructure does have something called an "inherited key" where one key/secret would work for all Canvas instances what enable the particular key. That may simplify coding on your end, but you'd likely face the same review steps for that key to be enabled and I am pretty sure you'd have to pay to become an official Instructure partner to have that option.

Hope this helps a bit. Others may chime in with their opinions or perhaps some options I don't know about as well.

-Chris

OAuth2 for Student Accounts

Admin

All users

Student

Subscribe App to Push Notifications

Canvas plans for supporting LTI 1.3 Platform Notif...

LTI 1.3 - Will this legacy claim "lti11_legacy_use...

Canvas selfhost cannot add answer to quizzes using...

Issues in self-hosted Canvas LMS integrate with Mi...

Subscribe App to Push Notifications

Connecting to external API

Call Canvas API from external application

Custom CSS and JavaScript Documentation

Get HTML body content from ModuleItem type Page wh...

You're signed out

OAuth2 for Student Accounts

Community Help

View our top guides and resources: