cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dkerr
Community Participant

Server-to-Server OAuth2

In a previous post, I mentioned that I am attempting to build an external application that is capable of pushing grades from the application to the Canvas gradebook. I have successfully set up the grade push using the Canvas API, so grades for corresponding assignments are being added to the gradebook for a specified user.

However, from the start of development, I've been using a manually generated access token created within an Admin account in Canvas. Of course, hard-coding this access token into my code would not be acceptable, since this would result in a security risk. After going through the OAuth2 section of the API docs and attempting to implement, it seems that the OAuth2 API only supports user login through a redirect to the Canvas login page. Instead, I'm hoping to find some way to authenticate the server running the application that I am building, so that the server can request/use an access token and send API requests without having to redirect to the Canvas login page and provide a user login/password combination.

In other APIs, I've noticed mention of service accounts (e.g. Google) and resource owner password credentials. Does anyone know if this is possible with the Canvas implementation of OAuth2, and if so, how would I go about authenticating the application server directly?

Thanks!

Labels (1)
8 Replies
mcarruth
Community Contributor

I built an external testing engine that has common test/quizzes the deans want in courses. I used LTI connection that uses shared keys and secrets and generated OAUTH tokens in that manner.  The grades on each quiz/test is pushed back to Canvas from my external app.

dkerr
Community Participant

When you say shared and secret keys, do you mean the developer keys that can be generated within an account in Canvas?

mcarruth
Community Contributor

No, the consumer key and shared secret are generated outside of Canvas.  When the app is added to Canvas, the Consumer Key and Shared Secret aradded

dkerr
Community Participant

Thanks a lot for your responses, mcarruth

Ah, those keys. I have those set up and am receiving several OAuth parameters when transferring to my external tool via LTI. I'm just a bit confused about how you're generating OAuth tokens. From what I believed, I thought that access tokens could only be generated through the API.

How did you go about using these keys to create an access token that allowed you to make calls to the API as an admin?

mcarruth
Community Contributor

 @dkerr  ,

Please see Canvas cousre Course Modules: Canvas Dev and Friends

LTI Activity 2: talks about the signature verification

Good info for PHP and LTI tools. 

OSCELOT Projects > Projects > Basic LTI Tool Provider class for PHP > Home

One of the files in this project is OAuth.php.   It contains the classes needed for Oauth

dkerr
Community Participant

Thanks, Martin. I'll take a look at those links and try to work out a solution.

dkerr
Community Participant

Martin,

After going through the lesson on Canvas Dev & Friends, I'm still a bit confused as to how to create an access token with the oauth data and using it with the API. I'm successfully receiving the oauth_consumer_key, oauth_signature_method, oauth_timestamp, oauth_nonce, oauth_version, and oauth_signature. Also, accessing the external tool through an LTI link from Canvas is working correctly.

How are you combining this oauth information that's provided over LTI to generate an access token that can be used to interact with the API? Thanks

mcarruth
Community Contributor

 @dkerr 

I am not using the token generated through the LTI to interact with the API. I am using the token to allow the LTI app to pass grades to the Canvas grade book.  This is part of the LTI specifications, not the Canvas API specifications.

The tokens generated through LTI interaction do not give rights to Canvas API calls.  If you want to make Canvas API calls, from within the LTI app you will need  a developer key.    Getting Started With The Api: Canvas Dev and Friends​  The developer key allows you to create tokens for users other than yourself so that the app can run in the context of the user accessing the LTI.

An example of access the Canvas API from within an LTI app is CanvaBadges  GitHub - whitmer/canvabadges   (This code is in Ruby)..  The LTI key and secret are used to establish the secure connection to the server and access from the app.  A developer key is needed for the application.  The application uses the developer key to generate OAUTH tokens based on the user that is accessing the badge to verify badge prerequisite in Canvas.