cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Community Team
Community Team

All things API

Have a question about the Canvas APIs? Have a cool API integration you'd be willing to share? If so, please post here.

Labels (1)
Tags (1)
271 Replies
Highlighted

Try the Canvas Live API, which is very powerful: https://yourinstitution.instructure.com/doc/api/live

120975_pastedImage_1.png

Highlighted

Oeps, it already has been mentioned...

Highlighted

The login thing is actually your credentials. If you wanted to complete an API call that way as a test user, then you would need to login as that test user. For what you are doing, however, I doubt you are creating an OAuth token for each test user and running the calls with that token. Most test users would probably not have permission to search all of your account users either.

As far as why to don't have a dozen test@test.com users, I couldn't say because I am not aware of how you are creating the users and I have not had reason to create a workflow similar to what you are describing. Are you getting the verification back that the user was successfully created? If so, that returned JSON should contain a Canvas user id. If you do not have a whole bunch of users, I would probably guess that you would be getting an error about the user already existing, but that is just guess.

Highlighted

Hi all--

I was able to figure this out--and thought I'd post what I've found just in case anyone else ever needs to know.

It seems to be related to a permissions issue with multiple grading periods/enrollments.

  • If a student makes that call I mentioned earlier, they can get the current grade for that particular grading period.
  • If an admin makes that same call, they cannot get the current grade for that particular grading period. They can, however get the current total grade.
  • A parent cannot get either.

I'm assuming some of this is related to the fact that the grading period API is in beta--but thought I'd share my findings for anyone else who may need it.

Highlighted
Community Member

I have questions about the oAuth refresh tokens mentioned in today's production release. I don't fully understand the implications of this change. What sorts of scenarios would lead to the use of a refresh token? I've read the documentation [OAuth2 - Canvas LMS REST API Documentation ], but I'm still missing something.

There is something else that is new(?) in the oAuth documentation that wasn't mentioned in the notes:

     "When the user is asked to grant your application access in step 2 of the web application flow, they will also be given an option to remember their authorization. If they grant      access and remember the authorization, Canvas will skip step 2 of the request flow for future requests."

I've never observed that behavior, and I never noticed it in the docs until today, so I'm assuming it is new. What do I have to do as a developer to take advantage of the skipped step? Does the issue of the refresh token depend in any way on the user's decision to 'remember' the authorization? Bottom line, is it safe to assume that my existing workflows will not be disrupted by any of these changes?

Highlighted

That is a good find BKINNEY@UDEL.EDU​, thank you for sharing it. I had somehow missed it as I scanned through the production release notes. I agree that the documentation is lacking in information regarding this process, but here is my understanding.

Way it has worked:

  1. Your application requests a token
  2. Canvas returns a token
  3. Your application stores a token that can be used indefinitely (unless deleted by the user)

New method:

  1. Your application requests a token
  2. Canvas returns a token and a refresh token
  3. Your application can use that token for a short period of time and then it will expire
  4. The next time the user accesses your application, you use the refresh token (along with your developer credentials) to request a new short lived OAuth token

I think the theory is that an OAuth token can stand alone and could be used if your application is compromised. A refresh token is connected to your developer credentials and can only be used in connection with those credentials to retrieve a new OAuth token. This reduces the danger of someone getting access to an OAuth token requested by an app.

As far as your second observation about "step 2", I am guessing that we have not seen that because we are among the existing developer keys that do not have to use a refresh token yet. My guess (which is all this is) would be that if they choose not to remember the authorization, you would not receive a refresh token, only the short lived OAuth token. That way they would be asked every time to authorize the app.

Will your existing workflows be disrupted?

I would say yes, eventually. I would imagine that is what the following line from the release notes means "Future communication will be provided advising when we will be enforcing the use of refresh tokens for all developer keys." Based on this new information, I will be spending some time in the next couple of days looking at the response from the OAuth token request to figure out if a refresh token exists and thinking through what that might mean for us as developers. I will endeavor to come back and report on anything I discover.

I would also love it if anyone who knows more about this process would chime in with further clarification.

Highlighted

Thanks, that helps a lot. I understand that you are guessing, but it all makes sense. Please let us know if you learn anything further. I'll look for refresh tokens as well, and we can compare notes here.

Highlighted
Community Member

Hello All,

I seem to be have in issue with refreshing my canvas token. My process is set to request the authorization code from then redirects to my program to process that code and request a token to be used and stored. Using this initial token I am able to make requests for enrollments, courses, users etc... if that token was deleted or expired then I refresh it and try again.

Below is my request for my initial token with LMS_KEY and LMS_SECRET being values for my actual information.

<?php

$url = "https://felbry.instructure.com/login/oauth2/token";

$oauth = array( 'client_id'     => LMS_KEY,

                'client_secret'     => LMS_SECRET,

                'grant_type' => 'authorization_code',

                'redirect_uri'  => 'https://stars.trainingmasters.com:82/php/FLMS010.php',

                'code' => $code);

$header = array('Authorization: Basic ' . base64_encode(LMS_KEY . LMS_SECRET));

$PostFields = buildAuthorizationHeader($oauth);

$options = array( CURLOPT_HTTPHEADER => $header,

                  CURLOPT_HEADER => false,

                  CURLINFO_HEADER_OUT => true,

                  CURLOPT_POST => true,

                  CURLOPT_POSTFIELDS => $PostFields,

                  CURLOPT_URL => $url,

                  CURLOPT_RETURNTRANSFER => true,

                  CURLOPT_SSL_VERIFYPEER => false);

$feed = curl_init();

curl_setopt_array($feed, $options);

$json = curl_exec($feed);

$headerSent = curl_getinfo($feed, CURLINFO_HEADER_OUT );

curl_close($feed);

$Oauth_Data = json_decode($json,true);

$Token = $Oauth_Data['access_token'];

$RefToken = $Oauth_Data['refresh_token'];

?>

I then use this token to make the request for all completed courses:

$url = "https://felbry.instructure.com/api/v1/courses?state=completed";

$header = array('Authorization: Bearer ' . trim($Token));

$options = array( CURLOPT_HTTPHEADER => $header,

                  CURLOPT_HEADER => false,

                  CURLINFO_HEADER_OUT => true,

                  CURLOPT_URL => $url,

                  CURLOPT_RETURNTRANSFER => true,

                  CURLOPT_SSL_VERIFYPEER => false);

$feed = curl_init();

curl_setopt_array($feed, $options);

$json = curl_exec($feed);

$headerSent = curl_getinfo($feed, CURLINFO_HEADER_OUT );

curl_close($feed);

$Oauth_Data2 = json_decode($json,true);

echo '<pre>'.print_r($Oauth_Data2,true).'</pre>';

When I print the result I get a list of all courses as expected.

Then I configure my program to fake a new token so I can trigger my logic to refresh the token. To refresh the token I use the following request $RefToken is the token collected from the initial request:

<?php

$url = "https://felbry.instructure.com/login/oauth2/token";

$oauth = array( 'client_id'     => LMS_KEY,

                'client_secret'     => LMS_SECRET,

                'grant_type' => 'refresh_token',

                'refresh_token' => trim($RefToken));

$header = array('Authorization: Basic ' . base64_encode(LMS_KEY . LMS_SECRET));

$PostFields = buildAuthorizationHeader($oauth);

$options = array( CURLOPT_HTTPHEADER => $header,

                  CURLOPT_HEADER => false,

                  CURLINFO_HEADER_OUT => true,

                  CURLOPT_POST => true,

                  CURLOPT_POSTFIELDS => $PostFields,

                  CURLOPT_URL => $url,

                  CURLOPT_RETURNTRANSFER => true,

                  CURLOPT_SSL_VERIFYPEER => false);

$feed = curl_init();

curl_setopt_array($feed, $options);

$json = curl_exec($feed);

$headerSent = curl_getinfo($feed, CURLINFO_HEADER_OUT );

curl_close($feed);

$Oauth_Data = json_decode($json,true);

$Token = $Oauth_Data['access_token'];

?>

This Process seems to work since I get a new token but when I attempt to use that new token to make the same courses request as above i receive the following message:

Array

(

  [errors] => Array

  (

  [0] => Array

  (

  [message] => Invalid access token.

  )

  )

  [error_report_id] => 2259

)

I have printed all my values out before and after all requests and everything is sending what its supposed to. I have used this process for other Oauth authentication with no issues. Any help with this issue would be great.

Thank you.

Highlighted

When you say that "$RefToken is the token collected from the initial request" do you mean you are using the OAuth token from the initial request or the refresh token from the initial request. From the code you posted, it looks like you are only grabbing the access_token. The request from Canvas includes an "access_token" and a "refresh_token". The "access_token" is used to make API calls, the "refresh_token" is used to obtain a new OAuth token. This may be old news to you if you have used the process for other OAuth authentication, but for those of us developing specifically for Canvas, this is a new addition. As you may have noticed in the comments just above yours, we are still trying to figure out the implications of the refresh token.

Highlighted

I missed that piece when copying my code but I am using the refresh token found in the refresh_token value from the JSON request. My apologies for the mix-up.