AnsweredAssumed Answered

Is it possible to masquerade a login session url?

Question asked by Richard Standen on Jun 6, 2019
Looking at the use case for masquerade, masquerading could be useful in a number of use cases: for a portal type application that's already tightly integrated with an SIS and is managed by the school, to avoid going through the OAuth flow for every student
We would like to build an external website which collates the student profile, calls the Canvas API to create the student account, and then is able to present a link to the student which jumps directly into the Canvas learning environment (without the need for the oauth handshake).
Simply put these are the commands we are currently prototyping:
$command = '/api/v1/users/self/profile?as_user_id=201';
$content = do_canvas_command($command, $site, $admin_token);
printf("<p>masqueraded profile content = %s</p>\n", print_r($content, true));
$command = '/login/session_token?as_user_id=201';
$content = do_canvas_command($command, $site, $admin_token);
printf("<p>masqueraded url content = %s</p>\n", print_r($content, true));


(do_canvas_command is wrapper function to package up the appropriate curl calls)
The masquerade for the profile works:
masqueraded profile content = Array ( [0] => stdClass Object ( [id] => 201
[name] => Nicholas Kings [short_name] => Nick
[sortable_name] => Kings, Nicholas
[avatar_url] =>
[title] => [bio] =>
[primary_email] =>
[login_id] =>
[integration_id] => [time_zone] => America/New_York
[locale] => [effective_locale] => en
[calendar] => stdClass Object ( [ics] => ) ) )


However, when the link is followed, the user is logged in as the privileged user not the student required (id=201).
Should we use a different route? Or is /login/session_token not masquerade-able?