cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Step 2 of oauth2 flow (Authenticating & Authorizing)

Jump to solution

I’m working with a developer at my institution to create a tool to automatically create new users in Canvas as they’re pushed to an internal system. We’re going to be using API calls & a developer key authorized by a special account to create the users.


 

We’re currently working on the Oauth2 flow and have a question. We want the process to be fully automated, but it looks like step 2 requires manual intervention to login and authorize the app. Is there some way to automatically authorize an app to negate the need to login? If not, is there some way to login and authorize the app through commands and bypass the need for manually doing it in a browser?

1 Solution

Accepted Solutions
Explorer

I'm not sure if you're trying to develop an application that is run as a side-car to Canvas to create users on behalf of an admin user, but you can certainly simulate the API calls using cURL and side-step the Oauth2 process altogether. I'm assuming you've already considered that and are asking how to get to step 2 of being an authenticated user using Oauth2 in an automated fashion. To my knowledge this is contrary to the nature of Oauth2's design...that is to use the credentials of a user in application A and supply the appropriate information and access to application B. This necessitates user interaction because in the end the user is the deciding entity to authorize application B to utilize their account information and role from application A. If applications did this without the user's knowledge that would be a large security concern abroad the Internet.

Secondly, Instructure's terms of service dictate that applications do not store or ask users to enter their token into an application, so I think you're out of luck. Source: OAuth2 - Canvas LMS REST API Documentation

Lastly, if you're just trying to automate user creation, you can do so by using the SIS Import API endpoint: SIS Imports - Canvas LMS REST API Documentation

Your application could allow for users to request an account, and then batch process them in the same way SIS workflow is set up. The frequency of the batch process would be dependent on your needs, but it wouldn't be in real-time.

View solution in original post

2 Replies
Explorer

I'm not sure if you're trying to develop an application that is run as a side-car to Canvas to create users on behalf of an admin user, but you can certainly simulate the API calls using cURL and side-step the Oauth2 process altogether. I'm assuming you've already considered that and are asking how to get to step 2 of being an authenticated user using Oauth2 in an automated fashion. To my knowledge this is contrary to the nature of Oauth2's design...that is to use the credentials of a user in application A and supply the appropriate information and access to application B. This necessitates user interaction because in the end the user is the deciding entity to authorize application B to utilize their account information and role from application A. If applications did this without the user's knowledge that would be a large security concern abroad the Internet.

Secondly, Instructure's terms of service dictate that applications do not store or ask users to enter their token into an application, so I think you're out of luck. Source: OAuth2 - Canvas LMS REST API Documentation

Lastly, if you're just trying to automate user creation, you can do so by using the SIS Import API endpoint: SIS Imports - Canvas LMS REST API Documentation

Your application could allow for users to request an account, and then batch process them in the same way SIS workflow is set up. The frequency of the batch process would be dependent on your needs, but it wouldn't be in real-time.

View solution in original post

Thanks a lot for the thorough explanation. I was initially looking into a single token generated through our canvas instance but one of our Canvas reps suggested that the developer keys were a better approach due to the potential, albeit small, to hit the call rate limit. The goal with the application is to have a real-time-ish user creation.

Since token storage is acceptable so we may step through the initial flow ourselves and then build the app to go to step 3 and use token_refresh.

Using SIS import for users is our second choice since we already have the automated user creation in Blackboard.

Still, thanks for spelling out what I thought was true regarding user credentials and Oauth2. I'll pass that info along and see if there's still a desire to make it work or look into option 2.