Developer Key API asks for Authorization each time
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Our team is developing an application that will pull a user's Calendar Events to a page, then display them through an API key in our instance's developer keys. To authenticate, we plan on using the user's credentials to piggyback the API call via: https://canvas.instructure.com/doc/api/file.oauth_endpoints.html#get-login-oauth2-auth
The issue with this way is that each time the call is made, Canvas asks to authorize the application each time. We are able to store the token locally for each user, but the current timeout requires them to either utilize the functionality in the app more than once an hour, or their token expires and then they have to do the authorize flow again.
What are some ways we can either increase the token expiration timeout default, cache the authorization selection (user selects authorize, and the app/Canvas recognizes this selection henceforth), or some other method?
One way we thought to bypass this using our institution's Azure SSO to authenticate with JWT, then pass those credentials to Canvas. However, we are not sure how to implement the scope as part of the API call since it is required via client_credentials: https://canvas.instructure.com/doc/api/file.oauth_endpoints.html#post-login-oauth2-token
In addition, we wondered if this would work as an LTI, but not entirely certain whether this was best practice.
In short, we are a little lost and would appreciate any guidance if anyone has had to tackle a problem similar to this. Any suggestions are welcome.
Thank you,
Cody Zehner
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @czehner1,
The proper implementation of OAuth is to store the refresh token in your application's database and not the authentication token. Your app then needs to have built in logic to know when to ask Canvas for a new authentication token with the refresh token. This will also prevent the recurring authorization prompts for users.