cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Robert28
Community Member

grant_type=client_credentials

Jump to solution

Brand new to Canvas REST API development.

Noticing client_assertion_type, client_assertion, and scope are all required parameters with grant_type=client_credentials via https://canvas.instructure.com/doc/api/file.oauth_endpoints.html#post-login-oauth2-token

Is there a way to use 'grant_type=client_credentials' in a Canvas REST API application without also developing a LTI application?

 

0 Kudos
1 Solution

Accepted Solutions
matthew_buckett
Community Contributor

Normally for machine to machine access we create a user account for the external application and then manually generate a long lived token for the application to use: https://community.canvaslms.com/t5/Admin-Guide/How-do-I-manage-API-access-tokens-as-an-admin/ta-p/89

Canvas doesn't support the client_credentials flow to issue tokens for machine to machine API use as far as I'm aware.

View solution in original post

3 Replies
matthew_buckett
Community Contributor

Yes. You can develop something to talk to the Canvas REST API without having any LTI integration.

You need to have a API developer key created and enabled in the Canvas service you are wanting to make API calls against, but then you should be able to use the developer key to request tokens for people using your application.

If you don't have and token for a user and send them to Canvas to get one they will be asked to login (if not already) and then prompted to grant your developer key access to their account. If they do then you will get an access token back related to their account. You can then use this token in API calls to Canvas and all permission checks in Canvas will be done as the user who granted you the token.

LTI is often used if you want to embed an application in Canvas (so the start point for users using the application is Canvas) but then some LTI application will then ask for an OAuth2 token so that API call can be made to Canvas.

You can't use JWT tokens issued by a LTI 1.3 developer key for the main Canvas API, just the LTI service endpoints (these are listed as LTI Advantage Services in the developer key):

I've probably missed some.

One other thing is you can use Canvas as an identity provider for login to your application using OAuth2 and a scope=/auth/userinfo . If you want them to login with Canvas and then be able to make API calls on behalf of them you will need first to use the /auth/userinfo scope and the request API access from them afterwards.

Can this also be used for 'machine to machine' flow (no active user action or canvas manual login needed).

matthew_buckett
Community Contributor

Normally for machine to machine access we create a user account for the external application and then manually generate a long lived token for the application to use: https://community.canvaslms.com/t5/Admin-Guide/How-do-I-manage-API-access-tokens-as-an-admin/ta-p/89

Canvas doesn't support the client_credentials flow to issue tokens for machine to machine API use as far as I'm aware.

View solution in original post