Community Help

LijKott

Hello, I am completely new to making apps for canvas, and I am a student developing a web app for a scholarship, I decided to do an app where you can use canvas' OAuth to have an AI create a study guide with flash cards and practice quizzes. I've been working on this for a few weeks now and I can't seem to find out a good way to get the user's course material for the AI to make study guides.

Now tell me if this is impossible and I should jump ship, but I've found out you can, with the school's developer keys, use OAuth to get canvas' API to get all the different assignments, tests, grades, and more. Now, I see that as perfectly fine to do, but I want my app to be accessible to all students, and the way I have to do that is I would have to get all the different school's dev. keys and store that somewhere for when a user from that school wants to use my app. Now, I believe there is better way to do what I want, but I have looked and have ended up here. What I ask is, is this possible? I'm fine to do it the seemingly impossible way for the prototype, but I want to find a better way, is there a better way? And finally, should I even do this idea? Is this idea too crazy for a student?

I have yet to do any coding just a simple UI prototype, I've asked Chatgpt this and all I could find is the near impossible way of doing it. I'm about to go back to school Monday, I'm planning on asking around to find answers.

jwals

Hi @LijKott,

Yes, what you're describing as the "near impossible way" is the standard implementation of the common OAuth2 flow. You have the following situation:

You are developing a third-party application, call it App X. App X wants to access Canvas on behalf of students/users. However, "Canvas" is not a single thing; each instance of Canvas is separately administered by its respective institution. So really, App X wants to access College A's Canvas instance on behalf of Student 1, 2, 3, and App X wants to access University B's Canvas instance on behalf of Student 4, 5, 6, etc. Non-technically speaking, College A, University B, etc. will need to review and approve App X before it is allowed to access their Canvas instance on behalf of their students. If the institution approved App X, they would provide you with the relevant security credentials to perform the OAuth2 process and then students would be able to log in to App X via their institution's Canvas instance. In the US higher education context, student data is subject to numerous federal regulations such as FERPA and institutions need to be sure that anyone they let access their student data (e.g., App X) is compliant with those regulations and with any other security and privacy protocols the institution wants to maintain. In a broader web application/OAuth context, you can understand that application administrators will broadly want to control which external, third-party applications are allowed to access their own application on behalf of their users.

All of that said, if you want to continue developing your project, your best bet would be to approach the Canvas administrators at your school and see if they can provide you with any kind of dev or sandbox access to Canvas, since your application at this point is almost certainly not ready to have full access to FERPA-sensitive data. Another option would be to spin up your own development instance of Canvas in Docker containers, which is not exactly trivial but is relatively straightforward. Instructure (the company who develops Canvas) provides instructions for doing that here. You can find more information about OAuth2 here and Canvas-specific information here.

Lastly, and this is more personal opinion than anything else: AI study buddy tools are a dime a dozen right now and many Canvas administrators such as myself are highly skeptical of them. There are serious concerns around privacy and intellectual property (for example, they are often ingesting an instructor's material that the instructor has not allowed to be shared in such a way) as well as pedagogical value (educational psychologists will tell you that making the flashcards and practice quizzes is where the actual learning happens. If someone or something else does it for you, you are just engaging in rote memorization).

View solution in original post

jwals

Hi @LijKott,

Yes, what you're describing as the "near impossible way" is the standard implementation of the common OAuth2 flow. You have the following situation:

You are developing a third-party application, call it App X. App X wants to access Canvas on behalf of students/users. However, "Canvas" is not a single thing; each instance of Canvas is separately administered by its respective institution. So really, App X wants to access College A's Canvas instance on behalf of Student 1, 2, 3, and App X wants to access University B's Canvas instance on behalf of Student 4, 5, 6, etc. Non-technically speaking, College A, University B, etc. will need to review and approve App X before it is allowed to access their Canvas instance on behalf of their students. If the institution approved App X, they would provide you with the relevant security credentials to perform the OAuth2 process and then students would be able to log in to App X via their institution's Canvas instance. In the US higher education context, student data is subject to numerous federal regulations such as FERPA and institutions need to be sure that anyone they let access their student data (e.g., App X) is compliant with those regulations and with any other security and privacy protocols the institution wants to maintain. In a broader web application/OAuth context, you can understand that application administrators will broadly want to control which external, third-party applications are allowed to access their own application on behalf of their users.

All of that said, if you want to continue developing your project, your best bet would be to approach the Canvas administrators at your school and see if they can provide you with any kind of dev or sandbox access to Canvas, since your application at this point is almost certainly not ready to have full access to FERPA-sensitive data. Another option would be to spin up your own development instance of Canvas in Docker containers, which is not exactly trivial but is relatively straightforward. Instructure (the company who develops Canvas) provides instructions for doing that here. You can find more information about OAuth2 here and Canvas-specific information here.

Lastly, and this is more personal opinion than anything else: AI study buddy tools are a dime a dozen right now and many Canvas administrators such as myself are highly skeptical of them. There are serious concerns around privacy and intellectual property (for example, they are often ingesting an instructor's material that the instructor has not allowed to be shared in such a way) as well as pedagogical value (educational psychologists will tell you that making the flashcards and practice quizzes is where the actual learning happens. If someone or something else does it for you, you are just engaging in rote memorization).

LijKott

Thank you. I was under the impression that there was an easier way. Thank you for clearing that up. I think I need to pivot; the main gimmick of my project that was going to make me stand out seems impossible for me to do.

Help with OAuth for a new web app

External App

OAuth

Subscribe App to Push Notifications

LTI 1.3 - Will this legacy claim "lti11_legacy_use...

Canvas selfhost cannot add answer to quizzes using...

Issues in self-hosted Canvas LMS integrate with Mi...

Finding a quiz Additional Comments endpoint from t...

Retrieve Quiz Question as Student

Help with OAuth for a new web app

Accessing Custom Fields from LTI 1.3 Developer Key

New user password reset via API

Subscribe App to Push Notifications

You're signed out

Help with OAuth for a new web app

Community Help

View our top guides and resources: