An option for configuring user avatars provided by a remote web service should be made available. ID photos are provided to other SaaS solutions in use by our institution through a web service hosted here. The web service allows ID photos to be retrieved using the student ID number and a hashed value. The hash is composed based off of the student ID and a secret shared between the institution and the vendor.
A URL could look like the following:
https://photos.example.edu/photo/FBB37AEB83C86A52AD29551DD2A6212370A358A7/910000000.jpg
The student ID of 910000000 is presented as the filename, with an optional .jpg extension. The hashed value of "FBB37AEB83C86A52AD29551DD2A6212370A358A7" could be calculated like so:
SELECT standard_hash('910000000' || 'CanvasLMSisGreat', 'SHA1') FROM dual;
Where "CanvasLMSisGreat" is the secret value shared between both parties.
The hashed value asserts that the caller (in this case, Canvas) has the right to retrieve the photo for student 910000000. It also prevents others from iterating over the student ID and retrieving all the photos for the institution.
URLs with this pattern could then be provided via feed/API or generated by Canvas to then display the individual's ID photograph at the institution.
