Celebrate Excellence in Education: Nominate Outstanding Educators by April 15!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Community
- Groups
- Canvas Developers Group
- Forum
- Granting Developer Keys
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Found this content helpful? Log in or sign up to leave a like!
Granting Developer Keys
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2017
09:00 AM
Perhaps this question has been asked somewhere already, but I cannot find anything. I have a third-party vendor requesting a developer key. (Zoom) Not to develop, but for SSO from Canvas to Zoom, I guess.
What are the security considerations for granting developer keys to third-party vendors?
Granting developer keys to third-party vendors makes me nervous. Should I be?
Thanks, Lisa
Solved! Go to Solution.
1 Solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2017
03:57 PM
Hi Lisa --
It's good to be concerned about giving out developer keys! 🙂 With a developer key, third party software can essentially masquerade as your users and interact with the Canvas API on their behalf (with their permission). This means that if they're operating on behalf of one of your teachers, they'd be able to do all of the things that teacher can do: access their courses, create and delete content, message their students, access and change grades, etc.
The way this works is that when one of your users accesses the the third-party app for the first time, the app redirects the user to Canvas and sends along their developer key. Canvas makes sure that the developer key is valid and that the user is logged in, and then displays a message like "<Application name> is requesting access to your account". If the user grants this access, Canvas will redirect them back to the third-party app along with a token that the app can store and use to make Canvas API calls.
Since having a developer key gives the third-party software such deep access to your Canvas instance, you'll want to have a solid relationship with the vendor (probably with a contract in place, FERPA agreement, data security review, etc.) I'd ask them to explain what API calls they'll be making, and what data they will read and write in Canvas. Your institution may already have practices for granting vendors access to sensitive, FERPA-protected data, and this definitely falls into that category.
Hope this is helpful - let me know if you have any questions!
--Colin
2 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2017
03:57 PM
Hi Lisa --
It's good to be concerned about giving out developer keys! 🙂 With a developer key, third party software can essentially masquerade as your users and interact with the Canvas API on their behalf (with their permission). This means that if they're operating on behalf of one of your teachers, they'd be able to do all of the things that teacher can do: access their courses, create and delete content, message their students, access and change grades, etc.
The way this works is that when one of your users accesses the the third-party app for the first time, the app redirects the user to Canvas and sends along their developer key. Canvas makes sure that the developer key is valid and that the user is logged in, and then displays a message like "<Application name> is requesting access to your account". If the user grants this access, Canvas will redirect them back to the third-party app along with a token that the app can store and use to make Canvas API calls.
Since having a developer key gives the third-party software such deep access to your Canvas instance, you'll want to have a solid relationship with the vendor (probably with a contract in place, FERPA agreement, data security review, etc.) I'd ask them to explain what API calls they'll be making, and what data they will read and write in Canvas. Your institution may already have practices for granting vendors access to sensitive, FERPA-protected data, and this definitely falls into that category.
Hope this is helpful - let me know if you have any questions!
--Colin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2017
09:14 PM
They shouldn't need a developer key for SSO. As Colin has outlined, you would use a developer key so you can make API calls from an external application into Canvas.
For SSO from Canvas to an external application, you would probably be expecting to be using LTI.
Community Help
View our top guides and resources:
Find My Canvas URL Help Logging into Canvas Generate a Pairing Code Canvas Browser and Computer Requirements Change Canvas Notification Settings Submit a Peer Review AssignmentTo participate in the Instructure Community, you need to sign up or log in:
Sign In