cancel
Showing results for 
Search instead for 
Did you mean: 
dhaya_karutheda
Surveyor

Canvas OAuth Authorization

Jump to solution

Hi, I am trying to create an application that extracts information from canvas and presents it in a dashboard.

It was decided we approach this with OAuth2  authentication process.

During the development i came across a scenario that doesn't make sense to me.

To complete the OAuth2 following are the steps i have been following.

1. Under my account create a Client ID and a Client Secret

2. Make a call to Canvas OAuth2 endpoint with Redirect URL, Client ID and Client Secret.

3. Canvas then asks me to authorise the OAuth2 Credentials, by forcing me to go through SAML authentication because SAML is our authentication mechanism. I then authorize the usage of client id and client secret under my account.

4. I get the access_code appended to the redirect_url specified in the step 2.

5. I then call the OAuth2 endpoint with access_code, Client ID and Client Secret and redirect url to get the access_token and refresh_token

6. Now i can call the Canvas API with the access token to get the API output required.

I understand i can call canvas API with this access_token, as long as the access_token is not expired and i can get a new access_token as long as refresh_token is not expired. 

Let us consider that both access_token and refresh_token is expired now do i have to follow all the steps 1 to 6 to get a new access_token meaning that i will have to authorize the usage every single time. It doesn't help with my use case as i have to login through a SAML procedure which needs browser to work.

I was hoping the authorization will be needed only the very first time, but it seems not and I cant find any references that says it wont.

Appreciated if anyone could share any insights to this.

1 Solution

Accepted Solutions
pklove
Learner II

The refresh token does not expire.  So if you cache this, you do not have to go through the whole process again.

Note that at your step 2, you should not be including the client secret.  This is a security risk.  You only use the secret when you exchange the code for the token.

View solution in original post

2 Replies
kona
Community Coach
Community Coach

 @dhaya_karutheda , due to the technical nature of this question it has been shared with the Canvas Developers‌ group in the Community. Hope they can help!

Kona

pklove
Learner II

The refresh token does not expire.  So if you cache this, you do not have to go through the whole process again.

Note that at your step 2, you should not be including the client secret.  This is a security risk.  You only use the secret when you exchange the code for the token.

View solution in original post