Pros and Cons of user access tokens
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our institution only allows administrators to generate user access tokens to prevent any misuse and enhance security to our Canvas users. Due to increasing demands, we may require enabling user access tokens creation for these users. Is there a way to only provide access to a specific role (i.e. only teachers)? If not, what are the pros and cons of allowing users to generate user access tokens? What are applications that we should be careful of (examples include chrome extensions or external applications that respond questions on quizzes)?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @enrique_carbone,
This is a great question for admin discussion! I think there are two pretty distinct views on token generation which I'll elaborate on below.
On one side, you have the mindset that a platform should be open and allow a user to create their own customizations, apps, scripts, etc for the platform. I believe this has been Instructure's general view of Canvas from the beginning. All users were allowed to generate their own tokens so they could create things on their own via the API if they wanted to.
The other side is that a token is essentially the equivalent of a password, as it gives access to anything that user has access to in Canvas in a general sense. In the past few years, it seems like it has started to become more and more common for external tool vendors to ask users for an API token to "integrate" with Canvas instead of following the LTI standard. Some of that trend may be inexperienced developers, but some may also be 3rd parties not wanting to go through the review process many schools/institutions have (rightly) put in place to ensure data security, accessibility, and evaluate other aspects of 3rd party platforms. With this in mind, many schools/institutions, including mine, no longer allow users to generate their own API tokens.
I don't think there is necessarily a right or wrong side above, it's really a choice each school/institution should evaluate and decide on for their own. Now getting to one of your other specific questions, it's really not possible out of the box to only allow only certain role(s) to generate tokens while denying students. You could try to do some custom scripting around that, but custom scripts can always be gotten around is users want to.
Your last question around things to be careful of is actually on a whole different level that is related to tokens, but doesn't necessarily need tokens. Browser extensions, depending how they are coded, wouldn't even need a token to perform tasks for the user once they are logged in to Canvas. I'd say that you should advise students (and anyone else really) to be skeptical of browser extensions that supposedly allow them to "cheat" by doing quizzes or other things for them. While I have seen a few that do actually work, there are many that are somewhat likely to be more like malware in that they don't actually do anything to with Canvas at all, and we really don't know what they do actually do (suspicious because they are misadvertising just to get a user to install the extension).
I hope some of this makes sense and helps with some of your questions. I wanted to get the ball rolling on a conversation here, as I do think a lot of this is more of an opinion and less of definitive answer situation. Hopefully some others will chime in as well.
-Chris
