Community Help

Robert28 · ‎04-26-2021

Brand new to Canvas REST API development.

Noticing client_assertion_type, client_assertion, and scope are all required parameters with grant_type=client_credentials via https://canvas.instructure.com/doc/api/file.oauth_endpoints.html#post-login-oauth2-token

Is there a way to use 'grant_type=client_credentials' in a Canvas REST API application without also developing a LTI application?

matthew_buckett · ‎04-27-2021

Normally for machine to machine access we create a user account for the external application and then manually generate a long lived token for the application to use: https://community.canvaslms.com/t5/Admin-Guide/How-do-I-manage-API-access-tokens-as-an-admin/ta-p/89

Canvas doesn't support the client_credentials flow to issue tokens for machine to machine API use as far as I'm aware.

View solution in original post

matthew_buckett · ‎04-26-2021

Yes. You can develop something to talk to the Canvas REST API without having any LTI integration.

You need to have a API developer key created and enabled in the Canvas service you are wanting to make API calls against, but then you should be able to use the developer key to request tokens for people using your application.

If you don't have and token for a user and send them to Canvas to get one they will be asked to login (if not already) and then prompted to grant your developer key access to their account. If they do then you will get an access token back related to their account. You can then use this token in API calls to Canvas and all permission checks in Canvas will be done as the user who granted you the token.

LTI is often used if you want to embed an application in Canvas (so the start point for users using the application is Canvas) but then some LTI application will then ask for an OAuth2 token so that API call can be made to Canvas.

You can't use JWT tokens issued by a LTI 1.3 developer key for the main Canvas API, just the LTI service endpoints (these are listed as LTI Advantage Services in the developer key):

I've probably missed some.

One other thing is you can use Canvas as an identity provider for login to your application using OAuth2 and a scope=/auth/userinfo . If you want them to login with Canvas and then be able to make API calls on behalf of them you will need first to use the /auth/userinfo scope and the request API access from them afterwards.

RobertSeletsky · ‎04-27-2021

Can this also be used for 'machine to machine' flow (no active user action or canvas manual login needed).

matthew_buckett · ‎04-27-2021

Normally for machine to machine access we create a user account for the external application and then manually generate a long lived token for the application to use: https://community.canvaslms.com/t5/Admin-Guide/How-do-I-manage-API-access-tokens-as-an-admin/ta-p/89

Canvas doesn't support the client_credentials flow to issue tokens for machine to machine API use as far as I'm aware.

grant_type=client_credentials

Assistance Needed for Pulling Data from External P...

LTI Deep Linking: Cannot Create Assignment Where T...

New Analytics from API -- getting student weekly p...

Link checker for all active courses

GitHub issues

OAuth2 for Student Accounts

Assistance Needed for Pulling Data from External P...

LTI Deep Linking: Cannot Create Assignment Where T...

New Analytics from API -- getting student weekly p...

Search Canvas API pageviews listing

You're signed out

grant_type=client_credentials

Community Help

View our top guides and resources: