Non-user authentication for quiz APIs?
Hello,
We'd like to use an API to pull information about available quizzes, for the purposes of an administrator being able to set up tool configuration for existing quizzes. I see that this API exists:
/d2l/api/le/(version)/(orgUnitId)/quizzes/(quizId)
However, the only client-credentials flow I see available is for LTI Advantage. The user-based authentication doesn't make sense to me since don't care about the context of a student in this scenario. Is there an appropriate service-to-service authentication mechanism that I'm missing?
Thanks!
Answers
-
Hello,
We generally use OAuth 2.0 for API authentication. It is not a user-based authentication the way you describe it, it is more accurately an open standard framework.
Using the API example you list will in fact return the details about one or more Quizzes (i.e. name, instructions, date, description). You can then follow up with a second API request to get a list of the questions/answers. No student related content is included, just quiz details.Authenticating using OAuth 2.0 is in effect a service-to-service authentication method. I hope this makes sense.
OAuth 2.0 is a very secure open standard and we support very granular permissions (Scopes) to ensure your API consumers can only access the type of data you wish them to. Have a look at Getting Started at our main API web page:
You can find a lot more info on community here:
Hope this helps!
-
Bill,
Thank you for the response and info! OAuth2 is a broad standard that certainly contains the kind of authentication flows that I'm looking for, but the authentication guide specifically talks about the three-legged authentication using an auth code flow only, which requires interactive login by a user.
This is in contrast with a plain client credentials flow, where a service can authenticate with another service without any dependence on a user authenticating.
We can use the client_credentials grant type to get a an access token for LTI Advantage, but as far as I've seen, the we're not able to use that flow for the the scopes we need (quizzing:quizzes:read in this case, I think). Can you confirm that this is by design, or is there a way to do it?
Thanks!
-
To confirm I understand the question:
- You would like to use the API to pull information about available quizzes.
- You don't specifically need to use LTI, it's just an option you thought of using, is this correct?
- You want to do this without any dependence on a user authenticating.
Please confirm the above.
I am not versed on all available authentication methods however I have an idea of how the above can be almost fully acconmplished (assuming my understanding is correct).Using the D2L OAuth 2.0 app (see attached) you register an app with the Scope (quizzing:quizzes:read) you need. The first time you use this with the D2L auth server (auth.brightspace.com/oauth2/auth) it will ask for to login as a user. Yes this is not what you want but bear with me.
Assuming a manual successful authentication, you will get a token and refresh_token. The Refesh_token is the key. A refresh_token is valid for 30 days. You simply exchange it for a new token and refresh_token as often as you like. As long as you refresh it within 30 days, you will never need to login and do user authentication again.
Just ensure save your refresh_token every time, it is a one-time-use.
Thoughts? -
Bill,
Yes, you are interpreting the question correctly. Thank you for the suggestion. That sounds like it could work. I will discuss with the team.
Thanks again!
