Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Member

OAuth2 server side


I am working on a single page app for a client (JS front end, taking to a .NetCore 2.1 Web API). This web API communicates with Canvas API to lets say create a simple Dashboard.
Now, this is all great in the current (dev) state, as a user comes into the app, they will be required to sign in to ADFS, and on successful sign in, I make my web api calls using the user generated token (requesting info on behalf of the user). All working fine. However...

I have been requested (or it has been pointed out) that for PROD the app will need to utilize OAuth2. I cannot see how this could be achieved; considering the Canvas OAuth2 flow doesn't seem to mention any "server flow" at all; additionally by design (of OAuth), I'd have to present the user with the "acceptance" screen (somewhere within the Sign On flow?), and on success, get the token, store and utilize to communicate with the Canvas API; that is unacceptable in my view. Additionally, this token will only have access to "own" user records only (?), where I might need to make a call on behalf of parent/student scenario.

I also tried to first of all test the OAuth2 and since I have an admin account in the "test" instance of the client's Canvas, I've created a new "developer key" and successfully tested the OAuth2. My guess here would be since this "admin" user has elevated access, that solves issues of fetching data with masquerading in mind, yet I have no idea how to solve the need for the OAuth2 flow being handled server side.

Any thoughts?

Labels (2)
6 Replies
Community Member

Bump. How can the server be configured to perform admin operations? Someone mentioned creating an LTI app, but they also appear to have the same limitation of only being able to perform operations as the logged in user... Does generating an access token from an admin account that does not expire and is stored on the server violate the oauth2 workflow because that is the only way I have seen to make this functionality possible unless I am forced to make a dashboard that an admin can log into and perform operations manually, but this is not feasible for a large scale operation.

0 Kudos
New Member

My understanding is that the use of refresh tokens can make a web application have "indefinite API credentials" after the OAuth process has been initially performed. If the application is supposed to establish a server session, then the refresh token will take care of performing API requests on behalf of the user's role. But this assumes that the user is logged into a web application and performing some sort of action inside that web application.

However, you shouldn't want to store an admin token in plain text anywhere whenever possible. If there's some sort of automated process to be implemented routinely, I don't know how other institutions keep their admin token/credentials safe for automated/routine processes.  I think that's what you're asking, right?

0 Kudos

If you were referring to me, my issue is that the documentation says that you must use OAuth2 if you design a service that is used by multiple users; however, I cannot implement the functionality in my server if it depends on the access tokens of users who can not have admin permissions. I could manually generate an access token in my Admin Account and use refresh tokens, but is this a violation of their terms of service?

0 Kudos
Community Champion

That was me that was referring to you (under a different login). My observation is that it can be risky to store an admin token in plain text for automated processes that use the API, but it is done in our institution by our district IT management if I'm remembering correctly. I wanted to be sure that your need wasn't a web application that needed a session to log in via a Canvas account (OAuth). We need someone more experienced than myself to comment in this question/thread for if/how the OAuth process could be used to kick off a refresh token cycle after performing the original authorization. 

I, and it sounds like the OP, have a web server and have already implemented the OAuth workflow and generating a refresh token would just require sending a post request.

The issue is whether or not using an admin access token in the web server would violate their terms of service. While I'm only creating a prototype, I'm going to assume that using an admin token is ok until I have evidence it is not because I do not understand how services such as GoFundMe and LMSCheckout can exist if they are not using an admin access token or a "global developer key" mentioned in the Developer Keys page of the API documentation.

I found another post, which makes me think that it is ok -- it is my access token and I am not asking another user for permission. From what I have read, the documentation only says that you cannot request other users to manually generate an access token.

0 Kudos
Community Champion

I was wondering if the app would need an initial OAuth user interaction to store the generated API Key in a safe place, and then just keep using refresh token via the POST requests for ongoing access. If you get this to work, I'd be interested in knowing of your success.