I am not an expert with OAuth2 by any means however I have used the Google API with great success.
refresh_token from initial access_token request
In all of the examples I have found that access to the API always requires hard coding an access token in at least 1 of three ways:
- By URL
These methods are fine for a testing environment but what about real production?
Is there a way to just pass the username to Canvas Cloud and given a correct password it will return a token with the permissions of an admin or other type of user depending on who logged in?
In the Canvas OAuth2 documentation it warns:
- Don't embed tokens in web pages.
- Don't pass tokens or session IDs around in URLs.
- Properly secure the database or other data store containing the tokens.
- For web applications, practice proper techniques to avoid session attacks such as cross-site scripting, request forgery, replay attacks, etc.
I have always used a secure web site to authenticate via PHP and handle the storage of the access token using session variables and MySQL table to handle User Roles. This method does of course require a dedicated intranet environment.
What is the most secure method to handle real production?