The first code snippet that you had was missing the : between Authorization and Bearer. The second post that you have uses account ID of 1. I would try using self instead of 1. If you are using a hosted account, which it looks like since you have instructure.com in the url, there is a really good chance (approaching 100%) that you do not own account 1. That would give you unauthorized error. It may be something else, but those are two things that jump out at me in the code you supplied.
I was indeed missing the : which was my mistake. That is corrected now. Thank you!
That, combined with a (fifth) token change per email@example.com's suggestion, seems to have done the trick for now. Thank you both!
I want to authenticate access to a canvas webpage based not on an API token key, but on an existing session, so that people have to log into accounts that have the matching permissions in order to access the page. How can I do this in Canvas?
EDIT: I am using Laravel, if it's of any interest, and I am making my own custom webpages for it.
firstname.lastname@example.org, Canvas lacks fine grade access control at the level of individual pages - to a first approximation, all of the content in a course has the same level of access as any other. However, finer-grained access control can be done for an LTI application that has been installed. You can see examples of doing this authentication in Ruby at https://github.com/gqmaguirejr/E-learning (see the SinatraTestxx.rb, chipit.rb, and adminit.rb programs). The LTI application runs in a frame within the Canvas window. One could use an LTI app to provide very fine-grained access control or even a capabilities based access control mechanism, but you would have to implement all of the mechanism yourself.
Note that one could store a given user's capabilities using the user's custom_data (see https://canvas.instructure.com/doc/api/users.html#method.custom_data.set_data). I have used this type of data to store information about a student's program of study (in the above ruby program). Now before the LTI app presents data to the user it can check the custom_data for a capability to access this data.
I do not have any experience with Laravel. However, as it is a PHP environment - you should be able to make your public/index.php file do the Oauth verification - presumably using Laravel's Passport.
EDIT: For anyone reading this and using Laravel/Canvas, I would not recommend using Passport for OAuth2 authentication/authorisation. Passport creates an OAuth2 server in your project for you to use; Canvas already has one created for you. You can create clients, developer keys and such on Canvas. See here:
Developer Keys - Canvas LMS REST API Documentation
I'm getting data on user accounts (as can be seen here Users - Canvas LMS REST API Documentation ). You can see an example of what this looks like for me in the picture below.
Is it possible to add a field value to this array for users? If so, how, and is it recommended?
email@example.com, what kind of field to you want to add? I frequently use joins/cats/... and other operations by using python Pandas - so I can put together user information with other information - such as how has been assigned as a peer reviewer for whom. See for example: Canvas-tools/list-peer_reviewing_assignments.py at master · gqmaguirejr/Canvas-tools · GitHub and Canvas-tools/students-in-my-courses-with-join.py at master · gqmaguirejr/Canvas-tools · GitHub
I was thinking something as simple as a permission field. e.g for one user it might read "permissions => default", while an admin would read "permissions => admin". How would that go about?
For clarity's sake, this is in PHP, via the Laravel framework
firstname.lastname@example.org, You can easily pass via the LTI interface information from Canvas about what roles a user has.
However, building a full permissions based access scheme where different people with the same role have different permissions requires storing this information somewhere - thus is were the custom user information could be used.