cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Community Member

Using the API, how do I get the user's info with their username and password

We're trying to develop a way for students to view their grades outside of canvas and we need the user id of the student so that we can access the grades and display them. If we were to get the username and password of their canvas account or even just their email, is there any way to get their user info, specifically their unique user id associated with their account?

Thanks a lot for the help!

Tags (1)
0 Kudos
3 Replies
Highlighted
Adventurer III

dakshin.devanand.778@k12.friscoisd.org 

You're asking the wrong question. You don't need to get this through the API, you get it through the LTI launch to your external tool. See the LTI Variable Substitutions documentation to see what information can be available. An easier way is to set the privacy to Public and it will include the Canvas ID and SIS ID. https://community.canvaslms.com/docs/DOC-12589-421474561 

You also won't get the user's password. What you can get is an OAuth2 token through an LTI launch that allows you to act as that user and make API calls on their behalf.

0 Kudos
Highlighted
Community Member

Thanks so much for that clarification, i'm a bit new to this API so forgive me. So from what I understand, it's possible to get the user's User ID and other information through the LTI launch. Then I need to setup the OAuth2 process so that I can get the access token for the user's account and call the API using that token for the individual user. Also, just another question I had, for the OAuth2 process, it seems to require the client ID and client secret to use. I'm actually a student trying to develop this to work with my school district's canvas so just wanted to make sure that getting the client ID and secret is mandatory to getting this to work?

0 Kudos
Highlighted
Adventurer III

With an LTI 1.1 tool, you can have an LTI connect without having coordinating a client ID and secret. That is, you can ignore whatever is there, but that makes your system pretty open. Setting up a separate OAuth system is not required for LTI 1.1, but you wouldn't be able to act as the user if you weren't going through the OAuth process. If you had an access token generated through Canvas that was capable of making requests then you could use the Public setting for the privacy and get the information, then use the pre-generated token to fetch the information you needed.

Issues:

  • That is very insecure without the secrets to the authorization part.
  • Tokens had the full permissions of the user from which they were created. If you're using an admin token because you need to do something like masquerade as another user, then you had full admin rights. That is a huge security risk to give to students.
  • LTI 1.1 has been deprecated. There are patches to add more security, but Canvas has said they're so major that they will not implement them and people need to go to LTI 1.3.

External apps that support LTI 1.3 and LTI Advantage require configuration using a client ID. This can be configured by the local Canvas administrator where they can also scope what permissions you are granted. LTI 1.3 apps must be configured by an admin before they can be added to the account or course so people can use them. The client ID and secret are used as part of the launch process.

OAuth2 allows you to perform actions as a user without getting their password. Applications in use by multiple users must use OAuth2. Asking someone to manually generate a password and enter it into your application is a violation of the terms of service. This is true for both LTI 1.1 and LTI 1.3. The reason that my LTI 1.1 was able to get by without OAuth2 is that I didn't make any API calls on their behalf, I just managed things in a local database. I did use the Public privacy setting because I needed their SIS ID.

0 Kudos