AnsweredAssumed Answered

Is it possible to masquerade a login session url?

Question asked by Richard Standen on Jun 6, 2019
Hello,
Looking at the use case for masquerade, masquerading could be useful in a number of use cases: for a portal type application that's already tightly integrated with an SIS and is managed by the school, to avoid going through the OAuth flow for every student https://canvas.instructure.com/doc/api/file.masquerading.html
We would like to build an external website which collates the student profile, calls the Canvas API to create the student account, and then is able to present a link to the student which jumps directly into the Canvas learning environment (without the need for the oauth handshake).
Simply put these are the commands we are currently prototyping:
$command = '/api/v1/users/self/profile?as_user_id=201';
$content = do_canvas_command($command, $site, $admin_token);
printf("<p>masqueraded profile content = %s</p>\n", print_r($content, true));
$command = '/login/session_token?as_user_id=201';
$content = do_canvas_command($command, $site, $admin_token);
printf("<p>masqueraded url content = %s</p>\n", print_r($content, true));

 

(do_canvas_command is wrapper function to package up the appropriate curl calls)
The masquerade for the profile works:
masqueraded profile content = Array ( [0] => stdClass Object ( [id] => 201
[name] => Nicholas Kings [short_name] => Nick
[sortable_name] => Kings, Nicholas
[avatar_url] => https://oup.instructure.com/images/messages/avatar-50.png
[title] => [bio] =>
[primary_email] => nick.j.kings+1559826668@gmail.com
[login_id] => nick.j.kings+1559826668@gmail.com
[integration_id] => [time_zone] => America/New_York
[locale] => [effective_locale] => en
[calendar] => stdClass Object ( [ics] => https://oup.instructure.com/feeds/calendars/user_BbOhinluwVulwnQjvD0hs4xQdMpv6zfPugo9GFly.ics ) ) )

 

However, when the link https://oup.instructure.com/?session_token=some_large_token_generated_by_canvas is followed, the user is logged in as the privileged user not the student required (id=201).
Should we use a different route? Or is /login/session_token not masquerade-able?
Thanks

Outcomes