Community Help

glparker · ‎10-18-2022

Good Morning,

We are building more apps for our environment, and only for our environment. In the past we had included Oauth into our apps so that the API calls were made with the privileges of the teacher/students using the app. However, managing Oauth tokens is a bit tedious. I'm considering just using an admin token and API Scoping for our new application, and removing the overhead of managing Oauth tokens.

What are some other pros and cons of using Oauth and the complications it brings for a 1st-party, in-house developed application that will never leave our borders. Are there other glaring security concerns I'm overlooking using an admin token in our app vs Oauth tokens?

matthew_buckett · ‎10-18-2022

OAuth tokens have the benefit that you can never do anything the current user shouldn't be able to do (assuming you manage your tokens correctly) as Canvas will enforce the permission checks. Using an admin token (even if you give it a custom role) means that it's up to you as an application to ensure that you do things correctly. The audit trail will also show all the actions as happening using the admin user, although using the `as_user_id` parameter (https://canvas.instructure.com/doc/api/file.masquerading.html) does help here.

Depending on the applications one concern might be the rate limiting as using an admin token means they are all rate limited by the same rate limit bucket, whereas with OAuth granted tokens each user gets their own bucket use (https://canvas.instructure.com/doc/api/file.throttling.html).

We've extracted out the handling of OAuth tokens to a service that sits in between applications and Canvas. This has 2 benefits:

Firstly is means the applications themselves don't have to store OAuth tokens as this handled by the service.
Secondly it allows for pure frontend applications without a server-side component as we've enabled CORS on this service and allow LTI JWTs to authenticate requests to the service and thereby make requests to Canvas.

We're looking at open sourcing this service if it's of interest.

Out of interest what sort of applications have you built?

glparker · ‎10-18-2022

Hi Matt,

Thanks for the thoughts, I had forgotten that bit about throttling buckets per Oauth token vs a single admin token. I don't think it's necessarily a deal breaker, but we'll consider it's implications.

Regarding your Oauth server, would love to see it.

Regarding our own apps.
- We have a grading app that let's teachers select one of their canvas gradebook columns, transform those percentages to letter grades, and submit them to the SIS for end of semester recording
- An app for reporting first day of class attendance, which automatically drops students from the class in the SIS if marked absent, freeing up seats for waiting students
- An app for letting users with large course lists quickly remove themselves from ones they no longer need
- An app for teachers sending student concerns to various places, one for mental health, one for academic issue, one for instances of academic integrity
- A Photo Roster that shows list of students and their ID card photo
- A Course completion app that sits behind a Canvas quiz prerequisite. When the student completes the quiz and then clicks into the page with this app, the student sees a congratulations message, but various things are also triggered from the server. Such as sending emails to one or more people letting them know about the completion so they can take next steps, updating the SIS with certain non-course attributes, emailing the student a receipt of completion.

Thanks Again

Glen

matthew_buckett · ‎10-19-2022

I'll drop a note on the Canvas Community when we've hopefully got it available. Along with it is an LTI Server that allows pure static HTML/JS pages to act as LTI tools, this works well with the proxy server and is hopefully also being open sourced.

That's a nice list of tools and are the sorts of nice integrations that make Canvas feel much more integrated into a educational institution, it sound like some of them might be of interest to other institutions. Are any of them available?

Most of our tools are built using Instructure UI (https://instructure.design/) with React and where they need to have a Java backend. We've currently got some bits available on GitHub under: https://github.com/oxctl

Pros/Cons of Oauth for in-house 1st-party apps

OAuth2

security

Canvas api/file end point issue : file size NULL

Copying/Updating Start Here Module

Using Canvas API to get assignment Calendar Events...

Finding the Login URL for a Student

Unable to Publish course - backend issue

Creating and Editing Assignments with Plagiarism R...

Canvas api/file end point issue : file size NULL

Announcements API not getting all announcements?

Copying/Updating Start Here Module

Account Role Permissions

You're signed out

Pros/Cons of Oauth for in-house 1st-party apps

Community Help

View our top guides and resources: