Instructure OneRoster Authentication Specifications
When configuring the Instructure OneRoster API integration, you must specify your system authorization method.
For OneRoster Implementation details, refer to IMS Global OneRoster v1.1 final specification documentation.
Note: OneRoster v1.2 will require OAuth 2.0 authorization.
Note: Instructure is a OneRoster Consumer. For OneRoster Consumer and Provider definitions, view the Introduction to OneRoster.
Supported Authentication Methods
When configuring your Instructure OneRoster integration, you must specify the integration authorization method. Instructure supports both OAuth 2.0 and OAuth 1.0a authentication configurations.
If your institution opts to use OAuth 1.0a, prevent server sync issues by providing the following server timestamp flexibility: 10 min in the past; 5 min in the future.
If your institution opts to use OAuth 2.0, the access token request authorization header includes client credentials (consumer key and secret). Additionally, if your institution has pre-defined the authorization scope, it is built into the URL upon implementation.
Learn more about OneRoster 1.1 security configuration options.
Note: When running an API call, each concurrent thread requests its own token. If a new token is issued, do not invalidate previously generated tokens.
Additional Resources
- Authentication: Oauth 2.0 with SHA-1 signature method
- OAuth 2.0 IETF Client Credentials Grant
- IMS Global OAuth 2.0 Final Specifications
- Canvas LMS OneRoster 1.1 Rest API Implementation Guide