jonespm
commented
2 years ago We'd talked about making these configurable incase Canvas changes them.
The scopes we are currently using are
Course:
GET /api/v1/courses/:idTabs:
GET /api/v1/courses/:course_id/tabs
PUT /api/v1/courses/:course_id/tabs/:tab_idIn a future releases we'll likely need these, but can wait.
External Tools:
GET /api/v1/accounts/:account_id/external_tools
GET /api/v1/accounts/:course_id/external_tools/sessionless_launch
zqian
Currently the API key is defined with no scope enforcement. We could lock it down to only the specific scopes needed. I don't think these will change, at least not for this release so we can do this now.
Currently these are set with the setting:
CANVAS_OAUTH_SCOPES: []To test:
change your API Developer Key to enforce scopes and add the scopes listed in the default scopes file.
Go to the admin, and delete your user's token record. Then relaunch and go through the OAuth process. Then look at the logs for an INFO level message from [oauth.py:73], where you should see the OAuth redirect to Canvas with the scopes in the URL, similar to the following message:
[INFO] [oauth.py:73] Redirecting user to https://canvas-test.it.umich.edu/login/oauth2/auth?client_id=17700000000000271&redirect_uri=https%3A%2F%2F4ac5-141-213-175-192.ngrok.io%2Foauth%2Foauth-callback&response_type=code&scope=url%3AGET%7C%2Fapi%2Fv1%2Fcourses%2F%3Acourse_id%2Ftabs+url%3APUT%7C%2Fapi%2Fv1%2Fcourses%2F%3Acourse_id%2Ftabs%2F%3Atab_id&state=7tHHBmfJyMKIRemove one of the scopes in the API Developer Key, then add only the remaining scopes to the environment variable. Delete your user's token in the admin, then re-launch and authorize. The handshake should work, but the application will throw an error when it tries to use the scope you are missing:
Error occurred! Status: 401; Message: An error occurred while communciating with Canvas. "Insufficient scopes on access token.