Celebrate Excellence in Education: Nominate Outstanding Educators by April 15!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Community
- Groups
- Canvas Developers Group
- Forum
- Re: Enforcing scope on developer key breaks OAuth ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Found this content helpful? Log in or sign up to leave a like!
Enforcing scope on developer key breaks OAuth flow?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2019
11:57 AM
I have an app that uses the OAuth2 flow described here to authorize a user and receive an access token that is then used to make API calls. When I first wrote the app, I didn't select the "Enforce Scopes" option when creating the developer key it uses. But since the app only needs access to a couple of API endpoints, I thought it would be a good idea to restrict the key so that only those specific endpoints would be available to the authorizing user.
After making turning on the "Enforce Scopes" option and selecting the endpoints I need, the app now fails to get past the first step in the OAuth2 flow:
This should just give me the initial code that can be exchanged for an access token, then redirect back to the specified URI. Instead, it gives me this error:
{
"error":"invalid_scope",
"error_description":"A requested scope is invalid, unknown, malformed, or
exceeds the scope granted by the resource owner."
}Turning off the "Enforce Scopes" option on the developer key results in everything working normally again. None of my application code changed, so the only thing that could be causing the error is the scoping.
Am I just misunderstanding how scoping is supposed to work, or is there something I need to change about how I've implemented the OAuth2 flow in my app if I wish to use a developer key with scoping enabled?
Solved! Go to Solution.
1 Solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2019
12:37 PM
When using scopes, you need to specify the scopes you want from amongst the ones that have been allowed at the Canvas end.
You do this by adding a scope parameter to the first call. In the docs, this is on the OAuth2 Endpoints - Canvas LMS REST API Documentation page. It would be good if the Overview page was updated to mention this.
It would also be nice if there was an option, or default, to have all allowed scopes, but it does not work like this.
8 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2019
12:37 PM
When using scopes, you need to specify the scopes you want from amongst the ones that have been allowed at the Canvas end.
You do this by adding a scope parameter to the first call. In the docs, this is on the OAuth2 Endpoints - Canvas LMS REST API Documentation page. It would be good if the Overview page was updated to mention this.
It would also be nice if there was an option, or default, to have all allowed scopes, but it does not work like this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2019
05:18 PM
Doh! Including the scope parameter in the initial request does the trick.
I overlooked that addition to the endpoint documentation (I agree, it would be great if the overview page were updated to reflect this), so thank you very much for pointing me in the right direction.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2019
09:30 AM
Hello John,
I tried to follow OAuth2 Endpoints - Canvas LMS REST API Documentation adding scope to my request but I am still getting this error
GET /token?error=invalid_scope&error_description=A+requested+scope+is+invalid%2C+unknown%2C+malformed%2C+or+exceeds+the+scope+granted+by+the+resource+owner.+The+following+scopes+were+requested%2C+but+not+granted%3A+https%3A%2F%2Fpurl.imsglobal.org%2Fspec%2Flti-ags%2Flineitem+and+https%3A%2F%2Fpurl.imsglobal.org%2Fspec%2Flti-ags%2Fresult%2Fread
I am running Canvas as self hosted on my local machine, when i tried to enable scoping for the developer key that i have following this documentations How do I enable scoping for a developer key in an account?
I could not find Enforce Scopes field, it seems the local version is different than the one is mentioned there.
I can see that i can add a scope only to API key not the LTI key, I am not sure if I get it right or not !
Can anyone explain how can i get over this error please ?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2021
12:44 PM
Did you find any solution to this problem? I ran Bitnami version of Canvas through AWS and am having the same issue as you. I can't modify scopes in this version during LTI Developer Key setup.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2020
11:44 AM
Our LTI utilizes many API endpoints and if we pass scope parameters for all of them in a request then character counts exceeds 2000, causing our nginx server to reject the request.
Is there any other option to pass multiple scope parameters other than in Get request.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2020
12:59 AM
Can you not increase your nginx header limit size?
http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
Canvas should work up to 8000 characters, but suggests if you are having problems you request multiple tokens from the user and have different scopes on each token. This documented on the Developer Keys page.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2020
11:26 AM
If i want to request second token with remaining scopes, Do i have to make another request to authorization url with those remaining scopes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2024
09:00 AM
There doesn't seem to be a list of scopes for the get request anywhere in the documentation. What is the correct scope for the initial get request to receive an auth_token?
Community Help
View our top guides and resources:
Find My Canvas URL Help Logging into Canvas Generate a Pairing Code Canvas Browser and Computer Requirements Change Canvas Notification Settings Submit a Peer Review AssignmentTo participate in the Instructure Community, you need to sign up or log in:
Sign In