Hello,

Our team is developing an application that will pull a user's Calendar Events to a page, then display them through an API key in our instance's developer keys. To authenticate, we plan on using the user's credentials to piggyback the API call via: https://canvas.instructure.com/doc/api/file.oauth_endpoints.html#get-login-oauth2-auth

The issue with this way is that each time the call is made, Canvas asks to authorize the application each time. We are able to store the token locally for each user, but the current timeout requires them to either utilize the functionality in the app more than once an hour, or their token expires and then they have to do the authorize flow again.

What are some ways we can either increase the token expiration timeout default, cache the authorization selection (user selects authorize, and the app/Canvas recognizes this selection henceforth), or some other method?

One way we thought to bypass this using our institution's Azure SSO to authenticate with JWT, then pass those credentials to Canvas. However, we are not sure how to implement the scope as part of the API call since it is required via client_credentials: https://canvas.instructure.com/doc/api/file.oauth_endpoints.html#post-login-oauth2-token 

In addition, we wondered if this would work as an LTI, but not entirely certain whether this was best practice.

In short, we are a little lost and would appreciate any guidance if anyone has had to tackle a problem similar to this. Any suggestions are welcome.

Thank you,

Cody Zehner