Community help

dtod · ‎01-21-2020

Various vendors keep asking me to generate tokens as an admin, or for instructors to generate tokens manually. I have pointed out to them that manually generated tokens are a violation of the Canvas Terms of Service. I realize that we can just choose not to adopt these tools, but I don't feel like I have much of a stick to beat these vendors with. Is there a way to report vendors to Canvas that actually gets results and for them to take this seriously.

themidiman · ‎01-21-2020

I had a bad experience with a publisher tool/vendor that asked for this information. Eventually they learned how to get their service to work using Oauth so that it would generate the token that would provide the proper level of access to get their service working. It would have been nice to know I could have told them "no" in the first place. There are some tools/vendors out there that due to the nature of their service their software provides still require an admin token to enable their tool to work. I wish they would figure a way to get their stuff to work without a plain-text token hanging out in their possession.

What sort of irks me now, is vendors asking for Developer Keys without enforcing scopes. I wonder if there's a best practice doc for this I could refer them to. (Sorry I didn't mean to hijack your discussion, but wanted to see what others have to say about this.)

jwadec · ‎01-21-2020

I have denied two integrations due to vendors requesting admin tokens. Told them to get LTI 1.3 compliant and to take a hike. In both cases I emailed @mloble ‌ and @karl ‌.

There is strength in numbers!

It would be nice if there was some program that vendors went through with Instructure where they could say, “we are canvas approved” and they get a verification badge or something. That way we would know they are following best practices.

You can make the case as I did on why these integrations pose a security risk. For now, I have received institution support.

ColinMurtaugh · ‎01-22-2020

We've had a number of occasions where vendors have requested a root-level admin token, too. Sometimes we've reached a solution by asking them what specific API calls and data they really need, and then generating a token associated with a more limited role and/or a specific sub-account. Still not perfect, but better than handing out a root-level admin token.

On a couple of occasions we've set up an API façade that lets us grant access to specific API endpoints that would otherwise only be accessible using a root token (e.g. ability to read term metadata). This is a bit of work to set up, but now that we've got a pattern established it's not too onerous. (We're using AWS API Gateway to accomplish this -- if anyone's interested in details, LMK.)

--Colin

Admin and manual tokens

Integrate a React App (Not Canvas) to be Canvas LM...

Donot have valid data to test certain APIs

Getting Canvas LTI Data

Prevent Faculty From Using "EX" grade in Gradebook

Can you using "People" Lists to display Observed U...

UI for weekly progression idea

Is the ‘Enable self assessment’ field available in...

Canvas Rubrics API Criteria

api/v1/courses/sis_course_id:{id#}/sections - Not ...

add `desc` or `asc` to a few api calls that are al...

You're signed out

Admin and manual tokens

Community help

View our top guides and resources: