Community help

rleonar7 · ‎03-25-2020

I am interested in building an internal reporting tool that looks at several various Canvas-specific properties about a course, e.g. existence of 'Pages' in Canvas. I believe this type of information can be gathered from the Canvas Data Portal, or the Canvas REST API (or Graphql).

I am interested in using the OAuth client_credential flow to authorize my reporting tool to access Canvas REST API. Is this possible? It seems that the client_credential flow is tightly coupled with LTI tools... If I go through the process of getting an access token as an LTI, will that access token be able to access non-LTI Canvas REST APIs?

Another solution would be to provide a manually created Access Token to my application, effectively treating it as an API key, per this related Canvas Community discussion. I don't like this solution in that I lose the benefit of the bearer token being rotated every hour.

My plan right now is to use the OAuth auth code flow with a special 'non-user account' that will only be given access to the endpoints it needs (I'm actually not familiar with how a user's access to API endpoints is managed in Canvas, but I will work with my university's Canvas Administrators to help me with that part). I want to still get the benefits of a short-lived, often rotated bearer token. This solution means that I will have to store the user credentials and the developer key on my server... ce la vie.

James · ‎03-25-2020

@rleonar7

As with most things in life, the answer is "it depends."

If you are getting a user access token, whether via OAuth or by generating an access token, then you are given whatever permissions that user has. Unless the user is a root admin, it will not be a full set of permissions.

OAuth is the preferred way of getting access as a user. Putting in a personal access token should only be done if you're running a single user application. I've also used it for system-wide applications that run on a server that pull information on behalf of people (normally these are back-end processes that populate a database that is then accessed with some other authorization process).

The other way you can go is to add your app using a developer token. There, you can scope the permissions so that you only get what you need rather than having full access to everything.

rleonar7 · ‎03-25-2020

Thanks @James !

I'm not familiar with developer tokens, can you point me to documentation for them?

My plan right now is to use the OAuth auth code flow with a special 'non-user account' that will only be given access to the endpoints it needs (I'm actually not familiar with how a user's access to API endpoints is managed in Canvas, but I will work with my university's Canvas Administrators to help me with that part). I want to still get the benefits of a short-lived, often rotated bearer token. This solution means that I will have to store the user credentials and the developer key on my server... ce la vie.

James · ‎03-25-2020

Start with Developer Keys - Canvas LMS REST API Documentation and the Integrations section of the Canvas Admin Guide

Does an LTI access token give access to full Canvas REST API?

LTI

api/v1/courses/sis_course_id:{id#}/sections - Not ...

Canvas Data Access Platform (DAP) Python Client Li...

Donot have valid data to test certain APIs

Getting Canvas LTI Data

Prevent Faculty From Using "EX" grade in Gradebook

Canvas Rubrics API Criteria

api/v1/courses/sis_course_id:{id#}/sections - Not ...

Canvas Data Access Platform (DAP) Python Client Li...

API: filter resources on timestamp or previous-syn...

Donot have valid data to test certain APIs

You're signed out

Does an LTI access token give access to full Canvas REST API?

Community help

View our top guides and resources: