I am working on a single page app for a client (JS front end, taking to a .NetCore 2.1 Web API). This web API communicates with Canvas API to lets say create a simple Dashboard.
Now, this is all great in the current (dev) state, as a user comes into the app, they will be required to sign in to ADFS, and on successful sign in, I make my web api calls using the user generated token (requesting info on behalf of the user). All working fine. However...
I have been requested (or it has been pointed out) that for PROD the app will need to utilize OAuth2. I cannot see how this could be achieved; considering the Canvas OAuth2 flow doesn't seem to mention any "server flow" at all; additionally by design (of OAuth), I'd have to present the user with the "acceptance" screen (somewhere within the Sign On flow?), and on success, get the token, store and utilize to communicate with the Canvas API; that is unacceptable in my view. Additionally, this token will only have access to "own" user records only (?), where I might need to make a call on behalf of parent/student scenario.
I also tried to first of all test the OAuth2 and since I have an admin account in the "test" instance of the client's Canvas, I've created a new "developer key" and successfully tested the OAuth2. My guess here would be since this "admin" user has elevated access, that solves issues of fetching data with masquerading in mind, yet I have no idea how to solve the need for the OAuth2 flow being handled server side.