Community

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ankur_gupta
New Member

Global token generation for all instructors

Jump to solution

How can i generate a token globally so that all the teachers(instructors) will able to use it for integration.

A token is provided to me by an instructor but i have a doubt that if some else want to use same token for integration will he able to use it.

Do i need to ask administrator for this type of token generation so that all the teachers can do synchronization with same token?

1 Solution

Accepted Solutions
garth
Community Champion

 @ankur_gupta ​ I have been on the road, sorry for late response.

Honestly, I am not sure what type of application you are creating.

LTI Approach

I have worked on an internal LTI app to do something similar to what you have described.

So the LTI application authenticates to Canvas using the token for the "bearer" value in the request header.

Then you masquerade as the user to allow Canvas to enforce the Canvas privileges applied to that user.

Take a look at this document regarding masquerading: Masquerading - Canvas LMS REST API Documentation

Specifically the as_user_id parameter.

Stand-Alone Approach

If you are creating your own completely stand alone app, you want to followin the OAuth2 path.

Take a look at the documentation here:  OAuth2 - Canvas LMS REST API Documentation

I hope this helps.

View solution in original post

9 Replies
kona
Community Coach
Community Coach

Due to the technical nature of this course I'm going to share this with the Canvas Developers​ group in the community. Hopefully they will be able to help.

garth
Community Champion

You could create an admin account at the top level account level, then generate a token using that account and share it with the faculty.  However, anything faculty do using that token will be done as that account, meaning there is no accountability, no way to know who did what, if that is a concern.

At the very least, I would create a token specific to the integration.  This way I could kill a single token if necessary without effecting all integrations.  I would not recommend using a single global token for ALL integrations, that is not a best practice with respect to security.

James
Community Champion

I thought that I had read somewhere that your first suggestion is actually against the terms of service, but I couldn't find it when I went looking for it. Maybe I was thinking about "Note that asking any other user to manually generate a token and enter it into your application is a violation of Canvas' terms of service." OAuth2 - Canvas LMS REST API Documentation. I stressed over that line with the Google Sheets I had written, but relied on the next line that talked about "Applications in use by multiple users *MUST** use OAuth to obtain tokens*" and decided that since people are making their own copy and using it themselves, it wasn't an application in use by multiple users.

Anyway, the warnings you provide against it are good, even if it's not against the TOS. I would go one farther -- the token generated by the admin account would allow anyone who had that token access to do anything that can be done, basically everyone who had it would be an admin. It would be much better to write an application that used the token rather than sharing the token with people - that token is an account name and password rolled into one string and should be protected as such.

garth
Community Champion

 @James ​ well said.

Security should always be at the forefront of our design efforts, I like the way you think ; )

Hi Garth,

Thank you for your reply. I am only allowing instructors to synchronize the grades of students using token. So any instructor logging in our platform will not be able to use that token for anything else. So no security issue.

Well, if we consider this for a second that this is not a right way to do this, can you point me to the appropriate document for doing it. I just want that any one coming in our platform using LTI able to synchronize grades into his canvas account.

James
Community Champion

Either you're not clearly describing what you're attempting to do or you don't understand security.

If you are talking about the "access token" generated by going to Account > Settings > New Access Token, then you would have to create a special account role and make sure that the only thing enabled for that role is the ability to synchronize. Then you would have to log into that role or masquerade as special user designed for just that role so that they had no other permissions and generate the token.

Except that if you only allow the ability to synchronize grades, you may not get the other things that you need to do what you want to do and so you start opening things up and then pretty soon there's an admin account and you can't give code away to individual users. You might check out the Canvas Account Role Permissions descriptions.

Anyway, you cannot share that code with people and ask them to put it into the system somewhere. Even though you think you're only allowing them to do one thing, with that token, they can do anything that role can do through the API. And when you enabled all those features to get it to do what you want it to do, then you opened up a huge security hole if you go passing around that access token to people.

However, I think your last paragraph is beginning to more clearly get at what you're trying to accomplish and that can help people prescribe a better approach.

If all your LTI needs to do is pass grades back to Canvas then you don't have to do anything with access tokens. That functionality is already built into LTI. I wrote some code that had students fill out an evaluation form after a presentation, compute everyone's grades, and then pass those grades back into Canvas. I didn't need access tokens or anything to do that.

If your LTI needs to create assignments or access information from within Canvas, then it gets a bit tougher. I'm not sure what all is involved in this case, so maybe someone else can chime in.

I do know that we installed Pearson's MyLabs & Mastering at the account level. Then the teacher added it to the course navigation menu. At some point in the integration process, we logged into MyLabs and authorized them to access Canvas on our behalf (probably using OAUTH, but it's been so long I don't remember). They could create assignments and transfer grades into Canvas. The integration was (when I used it in June 2015) terrible and I ended up manually transferring the chapter totals back into Canvas, but we still used it for the single-sign-on capability. But I think the big picture is that when they add the LTI to their course, that you do an OAUTH request and that's how you get access to their accounts. You definitely don't ask them for access tokens. Each instructor signs off when they install the LTI.

You might be able to do something similar at the account level and have an admin perform the initial login. They might give you an account on the system and let you do your thing. But asking someone to put their token into your application seems to be violation of terms of service.

ankur_gupta
New Member

I am working on an application which will be used to create and update assignment grades in canvas. Since the assignment creation was involved so i asked the admin to provide token so that i can use it to do these tasks. I understand what James Jones ​ said, i use to keep that token in my application and this may not be a good practice.

Admin do not have to share token with all teachers, and i am providing only 2 functionality to user, that is creating assignment and updating grades.

Till now i am able to do it with the method i explained.

Please let me know the best practice if keeping token is not the right way to do it.

Also there is another administrator who have provided me an account for testing purpose, and using this account i have created a token. But when i use this token for calling user/profile api then it gives me error "user not authorized to perform this action."

Can anyone tell me what permission should i ask administrator to set (in the account provided to me) so that i will able to call this api too.

Hi Garth,

I am not going to ask admin to share the token with any teacher or teaching assistants. I am keeping the token in my application for creating assignments and updating its grades. Can you suggest me what else i can do?

garth
Community Champion

 @ankur_gupta ​ I have been on the road, sorry for late response.

Honestly, I am not sure what type of application you are creating.

LTI Approach

I have worked on an internal LTI app to do something similar to what you have described.

So the LTI application authenticates to Canvas using the token for the "bearer" value in the request header.

Then you masquerade as the user to allow Canvas to enforce the Canvas privileges applied to that user.

Take a look at this document regarding masquerading: Masquerading - Canvas LMS REST API Documentation

Specifically the as_user_id parameter.

Stand-Alone Approach

If you are creating your own completely stand alone app, you want to followin the OAuth2 path.

Take a look at the documentation here:  OAuth2 - Canvas LMS REST API Documentation

I hope this helps.