Edu App Center: Generate Consumer Key and Secret

[Christopher Bennell]

Could someone point me towards some documentation about Edu App Center's "Generate Consumer Key and Secret" function? I can see that it launches the configured URL in an iframe, but how and with what is that page supposed to respond? Is it assumed that this is something that will be done once by an administrator, not by the user adding the app from within Canvas? 

Thanks.

[Christopher Bennell]

Ping.

[Becky Kinney]

Christopher,

I don't have a link to anything official, so take this for what it is worth from a former Canvas admin and app coder.

Basically you decide how you want to award access to your app. I've seen lots of cases where the user has to contact the company, and even pay a fee, to get access, so the link goes to a web page with instructions and other information. At the other extreme, you could set up a page that generates valid key:secret pairs and awards them to all comers, or even give away a single pair that just works (not recommended).

As for the question of administrators vs faculty or even students making the request, that is a serious issue, and I've known of cases where secrets were awarded to folks who really should not have been granted access. If your app needs to have an administrator installing it, you need to set up some hoops, but I don't know of a sure fire way to distinguish between a user who is willing to lie about his or her privileges and a legit admin without asking for at API key. Sometimes people even mislead by accident, because, for example, they administrate their courses, and they think that's all you mean.

HTH

Becky

--

---
You received this message because you are subscribed to the Google Groups "Canvas LMS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Christopher Bennell]

Thanks for this response, Becky. Maybe I'm misinterpreting how the "Generate Auth URL" is supposed to work. I assumed that it worked similar to the LTI Rich Content embed, where the external application can pass data back to the tool. Maybe that's not the case, and it's just a dumb iframe that displays a key and secret that the user is expected to copy and paste? 

It also seem that the "click here to generate" link only appears in EduAppCenter.com, and not when I try to add the app from Canvas. 

Here's what I'm actually trying to accomplish: We have a course reserves LTI that should be added to some courses, but not all. We would like this to be self-serve. Ideally, faculty would be able to go to their course settings and install the app from there by selecting it from the list. As it appears to work currently, they are prompted for a key and secret, but given no way to obtain them. 

Is what I'm trying to do possible? 

One more thing: if an app in EduAppCenter is marked "private", it can still be accessed by anyone with the URL. No authentication is required. It's not very private.

Thanks! 

Becky

To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-use...@googlegroups.com.

[Becky Kinney]

I've dealt with this in a couple of ways. Sometimes I put the key and secret directly into the instructions for installing the app. I only do that for apps I have not shared outside of UD, so theoretically only UD users ever see it. It's obviously not super secure, but depending on what your app does, that might be okay. Another thing I've done is put a list of key:secret pairs for all my internal apps onto an htaccess protected web page. The easiest thing of all is to install the app into the main account for the university, but in a disabled state, so that those who need it can activate it. If your app is accessed via a course menu link, it is easy to  make it disabled by default, and then let users find it in the Navigation tab and drag it up into the active list. Not so useful for apps that are deployed in other ways.

I don't worry that much about people stumbling across a valid app url. I think the point of 'private' is that no one but you will see those apps at the eduappcenter. For added protection, you could block access to your tools by checking the canvas domain in the LTI variables, and putting up a simple "sorry" message if it doesn't match your institution. The other thing would be to cross-check the key:secret in your database against the domain it was awarded to, and block access if it's not a match. I'm pretty sure that's what we are intended to do, but for apps you aren't sharing, it seems like a lot of extra work.

HTH

[Christopher Bennell]

Ah, disabled by default is something I hadn't considered; great idea! That could very well work for us. Thanks!

I would be interested to hear back from Instructure about the other questions.