Oauth2 access token and scope=/auth/userinfo

Community Participant

Hi Folk,

Could anyone explain the meaning of the highlighted part in this document (https://canvas.instructure.com/doc/api/file.oauth.html#oauth2-flow-1)

Your application can rely on canvas for a user's identity. During step 1 of the web application flow below, specify the optional scope parameter as scope=/auth/userinfo. When the user is asked to grant your application access in step 2 of the web application flow, they will also be given an option to remember their authorization. If they grant access and remember the authorization, Canvas will skip step 2 of the request flow for future requests.

346118_Screen Shot 2020-04-27 at 11.22.14 AM.png

My understanding of the checkbox is that it will remember the authorization for this user. However, when I added “scope=/auth/userinfo” to my step 1 request, this checkbox showed on the authorization page and I checked the box.  But even though I checked this box, Canvas still did not remember anything.

I have tried the following workflow:

  1. Called initial /login/oauth2/auth  with “scope=/auth//userinfo”
  2. In the return URI , called /login/oauth2/auth again without “scope=/auth/userinfo”
  3. Extracted the code from the response of the second call of /login/oauth2/auth, then used the code to request the access_token.


From the above workflow, I could get the access_token back, but I have been prompted TWICE for the authorization. The above confirm page showed up twice. I was hoping Canvas would remember the user's authorization. There won't be any new authorization prompt after step 1 or any future request.

Please shed some light.

Thank you!


Labels (1)