AnsweredAssumed Answered

Canvas OAuth Authorization

Question asked by Dhaya karuthedathu on Nov 8, 2018
Latest reply on Nov 11, 2018 by Peter Love

Hi, I am trying to create an application that extracts information from canvas and presents it in a dashboard.

It was decided we approach this with OAuth2  authentication process.


During the development i came across a scenario that doesn't make sense to me.

To complete the OAuth2 following are the steps i have been following.

1. Under my account create a Client ID and a Client Secret

2. Make a call to Canvas OAuth2 endpoint with Redirect URL, Client ID and Client Secret.

3. Canvas then asks me to authorise the OAuth2 Credentials, by forcing me to go through SAML authentication because SAML is our authentication mechanism. I then authorize the usage of client id and client secret under my account.

4. I get the access_code appended to the redirect_url specified in the step 2.

5. I then call the OAuth2 endpoint with access_code, Client ID and Client Secret and redirect url to get the access_token and refresh_token

6. Now i can call the Canvas API with the access token to get the API output required.


I understand i can call canvas API with this access_token, as long as the access_token is not expired and i can get a new access_token as long as refresh_token is not expired. 


Let us consider that both access_token and refresh_token is expired now do i have to follow all the steps 1 to 6 to get a new access_token meaning that i will have to authorize the usage every single time. It doesn't help with my use case as i have to login through a SAML procedure which needs browser to work.


I was hoping the authorization will be needed only the very first time, but it seems not and I cant find any references that says it wont.


Appreciated if anyone could share any insights to this.