cancel
Showing results for 
Search instead for 
Did you mean: 
jmarchal
Not applicable

Does Canvas API support 2-Legged Authoriztation

From, what i see, only 3-legged Authorization is supported. 

I need to implement a server to server system or an API to API layer. The problem is, when granting authorization, it cannot redirect to the system-wide CAS authorization and then display the Canvas app Authorization. I need it to be 2-Legged... meaning, you seen your app-id and secret and it will return the token without any of the other stuff. This is possible almost everywhere OAuth is supported. Does anybody know if this is possible? It is not documented in the API documentation. Thanks. 

5 Replies
kona
Community Coach
Community Coach

 @jmarchal ‌, due to the technical nature of this question I'm going to share this with the https://community.canvaslms.com/groups/canvas-developers?sr=search&searchId=0c9ea72c-63a0-4819-b24f-...‌ group in the Community. You might also consider joining this group and checking out their resources. 

ColinMurtaugh
Community Champion

Hi Jason --

You can generate a token that your app can use to call the API, and it will have the privileges associated with that user. One approach would be to create a Canvas user account for your application, log in as that user, and generate a token (under Profile > Settings, look for the "+New Access Token" button at the bottom). If your app needs to make API calls as other users, you would need to grant your application user an account-level role that has the "become other users" permission. If you're using a token that has that permission, you can use the as_user_id parameter when calling the API:

Masquerading - Canvas LMS REST API Documentation 

This essentially avoids having your app use the OAuth workflow to get authorization from each user for your app to operate on their behalf; obviously this gives your app a lot of power and needs to be used carefully. 

--Colin 

50581462‌ I'm gonna necrobump this thread, but it's relevant to my interest. I need server-to-server communication, and I need to display some data to Students that student API is not authorized to see (e.g. events, page views etc.). Does this mean that I should create a user such as teacher, and generate a token, and use their token in my application? Or is there a way to create such a token that you mention, but just for an application, without creating a new user? (I use a self-hosted instance, but my LTI may branch out). Also, does you advice goes against the TOS of Canvas? i.e. "Note that asking any other user to manually generate a token and enter it into your application is a violation of Canvas' terms of service. Applications in use by multiple users **MUST* use OAuth to obtain tokens*." (OAuth2 - Canvas LMS REST API Documentation )

chofer
Community Coach
Community Coach

Hello  @jmarchal ‌...

I thought that I would check in with you because we haven't heard from you since you first posted this question on April 12th and then received responses from  @kona ‌ (thanks for sharing the question) and 50581462‌.  While I don't have an answer for you myself, I wanted to check in.  Have you had an opportunity to review the response from Colin?  If so, did it help to answer your question?  Or, are you still looking for some help with this question?  Please go ahead and mark Colin's response as "Correct" if you feel that it answers your question.  However, if you are still looking for some assistance, please come back here to this discussion thread to post an update so that members of the Canvas Community can continue to help you.  Because we've not heard from you for almost two months and because there hasn't been any new activity in this thread for quite a while, I'm going to mark your question as "Assumed Answered", but that won't prevent you or others from posting additional replies below.  I hope that's okay with you.  Looking forward to hearing from you soon, Jason!

rleonar7
Not applicable

It looks like Canvas does support the client credential flow (aka 2 legged OAuth) for LTI integrations. It is unclear to me if the access token received when using this flow gives full access to the general Canvas REST API endpoints.