I have added an AJAX request in the custom js file that I've uploaded to Canvas. That AJAX request is currently not secure. I would like to add some layer of authentication, however, it seems that all the available tools will not accommodate this idea, unless there's just something I'm missing.

What I need is for Canvas to ask SERVER A (my server) for a an access token, and then pass that token on to the JS so it can be attached to the AJAX request. It seems like any other scheme I might come up with whereby the JS generates the token will not be secure because that's happening on the client's computer.

I thought about using a Canvas event, but those events don't fire in real time.

I thought about getting the JS to call on a Canvas LTI app, which in turns asks SERVER A for a token using the Oauth2 credentials sent by the LTI APP, but calling the LTI app from JS returns a 403 error.

I wish there was some pre-load hook that I can use to have Canvas poll data from SERVER A and pass that on to the JS ENV variables or something, but not having that, can anyone think of any other ideas?