Community Help

molshausen · ‎12-12-2024

Earlier this year, my boss turned on the option to block non-admin users from generating access tokens. Recently, we've looking through the list of user-generated access tokens associated with student accounts and exploring how and whether to delete them. My first question is, what are some possible uses for those tokens, legitimate or otherwise? The tokens I've generated myself have generally been for the purpose of API calls.

Secondly, I'm looking for tips on how to delete 90-odd access tokens at once. I see that the API only permits me to delete them one by one, so I assume I would have to develop some sort of script for this.

Thanks!

stimme

If you have the user ID and token ID for the access tokens to delete, you can write a script to loop through and delete them with the access token deletion endpoint (https://canvas.instructure.com/doc/api/access_tokens.html#method.tokens.destroy). For these simple lists, I like a BASH approach. Here's a sample.

#!/bin/bash
# This script is fairly simple. Edit the variables to set the server,
# log file name, and feed file name (add paths as needed).
# The feed file should just be plain text with the numerical Canvas 
# user ID and the numerical token ID on each line.
# Environmental variables are often where the script user's API token 
# is stored. Edit the variable name in the curl line or uncomment the 
# canvasAPItoken variable below and paste in your admin API token.

# VARIABLES - Adjust values and save file as.
canvas_domain="institution.beta.instructure.com" #It is always a good idea to test again Beta first.
log_file="user_token_deletion_log.txt"
feed_file="user_token_deletion_feed.txt"
#canvasAPItoken=""

# Loop through lines in feed file. Append to log file.
while read user_id token_id
do
echo "$user_id $token_id"
response=$(curl -s -S "https://$canvas_domain/api/v1/users/$user_id/tokens/$token_id" -X DELETE -H "Authorization: Bearer $canvasAPItoken")

echo "$(date +'%H:%M:%S') $user_id $token_id $response" >> $log_file

done < $feed_file

View solution in original post

NoahBoswell

Hi @molshausen ,

Thanks for posting on the Instructure Community!

While I cannot provide tips on creating scripts for deleting 90 access tokens all at once, I can provide some advice for your first question. When it comes to the use of access tokens, I usually see them used for things such as allowing users to access external apps, and other things by Canvas.

For example, at my high school, there are access tokens set-up for apps such as Kami, Google LTI, Canvas for iOS and even to the Canvas Training Portal. We also have additional ones for Office 365, as well as Canvas Commons.

Access tokens are usually very private and sensitive information, so you'll want to ensure that before deleting anything, you don't need any of the information that it has, as once the token is gone... it's likely going to be gone gone and you will not be able to retrieve any information off of it.

I hope this helps a little bit! Reach out with any additional questions.

Best,
Noah

molshausen

Thanks, Noah. To clarify, I'm talking about tokens that the user has generated manually, not ones that have clear associations with external apps. We are exploring deleting the former for security reasons.

stimme

If you have the user ID and token ID for the access tokens to delete, you can write a script to loop through and delete them with the access token deletion endpoint (https://canvas.instructure.com/doc/api/access_tokens.html#method.tokens.destroy). For these simple lists, I like a BASH approach. Here's a sample.

#!/bin/bash
# This script is fairly simple. Edit the variables to set the server,
# log file name, and feed file name (add paths as needed).
# The feed file should just be plain text with the numerical Canvas 
# user ID and the numerical token ID on each line.
# Environmental variables are often where the script user's API token 
# is stored. Edit the variable name in the curl line or uncomment the 
# canvasAPItoken variable below and paste in your admin API token.

# VARIABLES - Adjust values and save file as.
canvas_domain="institution.beta.instructure.com" #It is always a good idea to test again Beta first.
log_file="user_token_deletion_log.txt"
feed_file="user_token_deletion_feed.txt"
#canvasAPItoken=""

# Loop through lines in feed file. Append to log file.
while read user_id token_id
do
echo "$user_id $token_id"
response=$(curl -s -S "https://$canvas_domain/api/v1/users/$user_id/tokens/$token_id" -X DELETE -H "Authorization: Bearer $canvasAPItoken")

echo "$(date +'%H:%M:%S') $user_id $token_id $response" >> $log_file

done < $feed_file

molshausen

Thank you, Stimme, I'll give this a shot.

Deleting user-generated access tokens

Admin

Is There A Discord For Canvas?

New Submissions Override Comments on Prior Submiss...

Parent is unable to scroll in the Canvas Parent Ap...

Is there a way to export all the attempt a student...

Automatically apply grade for missing submissions ...

Is There A Discord For Canvas?

Documentation for the Ally Course Accessibility Re...

Get New Quiz answers submissions

New Submissions Override Comments on Prior Submiss...

Changing module items after a student has begun wi...

You're signed out

Deleting user-generated access tokens

Community Help

View our top guides and resources: