Community Help

jmelson · ‎02-27-2019

I have an app that uses the OAuth2 flow described here to authorize a user and receive an access token that is then used to make API calls. When I first wrote the app, I didn't select the "Enforce Scopes" option when creating the developer key it uses. But since the app only needs access to a couple of API endpoints, I thought it would be a good idea to restrict the key so that only those specific endpoints would be available to the authorizing user.

After making turning on the "Enforce Scopes" option and selecting the endpoints I need, the app now fails to get past the first step in the OAuth2 flow:

GET https://<canvas-instance-url>/login/oauth2/auth?client_id=XXXX&response_type=code&redirect_uri=<my-r...;

This should just give me the initial code that can be exchanged for an access token, then redirect back to the specified URI. Instead, it gives me this error:

{
   "error":"invalid_scope",
   "error_description":"A requested scope is invalid, unknown, malformed, or 
      exceeds the scope granted by the resource owner."
}

Turning off the "Enforce Scopes" option on the developer key results in everything working normally again. None of my application code changed, so the only thing that could be causing the error is the scoping.

Am I just misunderstanding how scoping is supposed to work, or is there something I need to change about how I've implemented the OAuth2 flow in my app if I wish to use a developer key with scoping enabled?

pklove · ‎02-27-2019

When using scopes, you need to specify the scopes you want from amongst the ones that have been allowed at the Canvas end.

You do this by adding a scope parameter to the first call. In the docs, this is on the OAuth2 Endpoints - Canvas LMS REST API Documentation page. It would be good if the Overview page was updated to mention this.

It would also be nice if there was an option, or default, to have all allowed scopes, but it does not work like this.

View solution in original post

pklove · ‎02-27-2019

When using scopes, you need to specify the scopes you want from amongst the ones that have been allowed at the Canvas end.

You do this by adding a scope parameter to the first call. In the docs, this is on the OAuth2 Endpoints - Canvas LMS REST API Documentation page. It would be good if the Overview page was updated to mention this.

It would also be nice if there was an option, or default, to have all allowed scopes, but it does not work like this.

jmelson · ‎02-27-2019

Doh! Including the scope parameter in the initial request does the trick.

I overlooked that addition to the endpoint documentation (I agree, it would be great if the overview page were updated to reflect this), so thank you very much for pointing me in the right direction.

mahmoud_mostafa · ‎12-17-2019

Hello John,

I tried to follow OAuth2 Endpoints - Canvas LMS REST API Documentation adding scope to my request but I am still getting this error

GET /token?error=invalid_scope&error_description=A+requested+scope+is+invalid%2C+unknown%2C+malformed%2C+or+exceeds+the+scope+granted+by+the+resource+owner.+The+following+scopes+were+requested%2C+but+not+granted%3A+https%3A%2F%2Fpurl.imsglobal.org%2Fspec%2Flti-ags%2Flineitem+and+https%3A%2F%2Fpurl.imsglobal.org%2Fspec%2Flti-ags%2Fresult%2Fread

I am running Canvas as self hosted on my local machine, when i tried to enable scoping for the developer key that i have following this documentations How do I enable scoping for a developer key in an account?

I could not find Enforce Scopes field, it seems the local version is different than the one is mentioned there.

I can see that i can add a scope only to API key not the LTI key, I am not sure if I get it right or not !

Can anyone explain how can i get over this error please ?

Thanks

ensightful-app · ‎03-08-2021

Did you find any solution to this problem? I ran Bitnami version of Canvas through AWS and am having the same issue as you. I can't modify scopes in this version during LTI Developer Key setup.

aamirsohel · ‎10-20-2020

Our LTI utilizes many API endpoints and if we pass scope parameters for all of them in a request then character counts exceeds 2000, causing our nginx server to reject the request.

Is there any other option to pass multiple scope parameters other than in Get request.

matthew_buckett · ‎10-21-2020

Can you not increase your nginx header limit size?

http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers

Canvas should work up to 8000 characters, but suggests if you are having problems you request multiple tokens from the user and have different scopes on each token. This documented on the Developer Keys page.

aamirsohel · ‎10-22-2020

If i want to request second token with remaining scopes, Do i have to make another request to authorization url with those remaining scopes.

MatthewStahlman · ‎07-29-2024

There doesn't seem to be a list of scopes for the get request anywhere in the documentation. What is the correct scope for the initial get request to receive an auth_token?

Enforcing scope on developer key breaks OAuth flow?

Retrieve Data On Rubric Criteria And Completion

Gray screen for Microsoft OneDrive LTI - Local hos...

Microsoft OneDrive LTI

Common Cartridge Import - Link Matching Logic

launch_no_longer_valid

Retrieve Data On Rubric Criteria And Completion

Gray screen for Microsoft OneDrive LTI - Local hos...

Microsoft OneDrive LTI

Assistance with Code

Submissions API for student submission data as an ...

You're signed out

Enforcing scope on developer key breaks OAuth flow?

Community Help

View our top guides and resources: