Transitioning Postman Knowledge to Custom Widgets


Newbie here that likes to experiment with this stuff… I went through Postman with Paul (which is a fantastic resource) a couple years ago and have been doing lots of bulk tasks with it. Now I am taking those concepts a step further and attempting to create some custom Brightspace widgets that use Javascript to do Brightspace API calls right inside an admin course offering in Brightspace.

One item in particular I'm working on to start is a sandbox creator performing the standard POST /d2l/api/lp/(version)/courses/ call. After a lot of tinkering, I am actually able to get it to work! It creates a sandbox and uses the criteria I set in the body.

However, I know for a fact I am absolutely not doing it in a secure or practical way. This is because I am manually adding the access token that I'm retrieving from Postman into the javascript code itself - which I am confident is a big 'no-no' for security reasons. (Don't judge, I just wanted to get it to work at least once…)

How do I set this up to have the key stored in a more secure place and handle the refresh token? I am open to any tips and suggestions. I've read a lot of the documentation on here and understand the base concepts for Oauth 2.0 (thanks to my work in Postman) but am not sure how to go about it for doing something right within the Brightspace LE in the HTML editor. Keep in mind, I am pretty new to this stuff and am pumped I can make it do anything at this point. Thanks!


Best Answer

  • Travis.H.362
    Travis.H.362 Posts: 23 🧭
    Answer ✓

    This information is helpful, thanks! The 'Authorization Tokens that keep Expiring' link was especially insightful. I found that I can now run my calls while logged in as my admin user by simply adding 'X-CSRF-TOKEN': localStorage.getItem("XSRF.Token" as a header. Fantastic! I'm excited to explore this more and continue building.


  • Stefanie.B.518
    Stefanie.B.518 Posts: 468 admin

    @Travis.H.362 This is such a great question!
    Just checking in with a few folks more knowledgeable than myself on Postman and the Brightspace API to see what I can find out for you.

    Working on this one- and so grateful for your post here!

  • Bruce.B.64
    Bruce.B.64 Posts: 45

    Hi @Travis.H.362 - So I'm not as knowledgeable as some D2L'ers but I wanted to get you started on your journey here.

    In order to have the auth token hidden, you need to have a system outside of the widget itself to do the 'heavy lifting' when it comes to the authentication token. It's worth noting that the widget itself will use the currently logged-in users' permissions to do whatever the activity in question is for the activity.

    If you look in this thread; it helps you lift the user's currently logged-in token information to do the heavy lifting so you don't have to get an auth token.

    If it's intended for a specific role group; you can use release conditions to alter the widget behaviour to only show for certain role groups as seen below. In this case, the widget only appears for the first 14 days after the student is enrolled in the system and then proceeds to hide it so it's not an annoyance on their home page.

    Let me know how you get along with your journey; other D2Lers have been asked to assist as well.

    Kind regards;