Programmatically login user

I have my portal for the instructors that should use a particular admin account to let the portal users add students. In the D2L instance, these users are regular teachers.

Auth 2.0 doesn't fit the task.

I used the instructions from the following link.

https://community.brightspace.com/s/article/API-Cookbook-Headless-Non-Interactive-Web-Service-Workflow

It says:
"You need to manually harvest the user tokens using a utility such as the API Test Tool (https://apitesttool.desire2learnvalence.com/) to authenticate with your LMS."

This is where I am stuck. The tool does NOT return the token, and it doesn't store the token in the cache either. The token in Local Storage expires in an hour.

Please, help.

Best Answers

  • Tatiana.M.51
    Tatiana.M.51 Posts: 5 🌱
    Answer ✓

    @Ian.P.710 Thanks for the recommendation; I am using OAuth2.0 for now, which does not satisfy the requirements because I had to give more privileges to the users. I cannot restrict these users to a particular Department. The whole point of the custom application was to keep the users as teachers in the LMS with as small privileges as possible and give them a way to create new classes and add the students through the app only to a particular LMS template.

  • Ian.P.710
    Ian.P.710 Posts: 27
    Answer ✓

    So you will initially need to login with the user account used for the service user, if you have sso you can bypass that with the Brightspacedomain/d2l/login?noredirect=1 to get to the local login page. login with the service user account and password get the refresh token then use that in your ASP.net code to get the new accesstoken make sure both are stored on the server, then the api's should not require any additional login as long as the refresh token does not expire, it is good for up to 30days as per standard Oauth2.

  • Ian.P.710
    Ian.P.710 Posts: 27
    Answer ✓

    Ok so the access token itself will by default last 1 hour you can set it up to be longer if needed but not recommended. If the access token expires then you get a error at which point you trade in the refresh token to get a new access token and refresh token. As long as that trade in occurs at least once in the 30 days from the last time it was updated then should should always be able to connect without the need to re login the service account.

Answers

  • Ian.P.710
    Ian.P.710 Posts: 27

    So if I am understanding this correctly, you have an external to brightspace a webserver running a application that allows users to add students.
    You have said Oauth 2 does not fit the task. Why not?
    Do the users have the right roles and permissions to add users to the system?
    The way I would do this is to use Oauth2 and use the https://community.d2l.com/brightspace/kb/articles/1196-how-to-obtain-an-oauth-2-0-refresh-token
    to enable you to login with a user that has access rights to create a user. then get the Oauth 2 refresh token.

    Then in you application use that acquired refresh token to get a new Oauth 2 access token and use the D2L api's to send the commands to register a user using the access token on your server as the bearer token.

    This way the user does not need the Brightspace roles and permissions to add a user directly in Brightspace as they will use the hidden service account to create the users in Brightspace.

    Hopefully I have understood what you are trying to do if not please provide additional details.

  • Ian.P.710
    Ian.P.710 Posts: 27

    Ok so if you use the service account to send the d2l api commands, you can have your users login to your app and then based on their login to your app control what they can do in terms of access.
    The users themselves do not need any additional permissions in Brightspace as the service account connected via Oauth2 with the higher level of permissions is doing all the commands on their behalf.


  • Tatiana.M.51
    Tatiana.M.51 Posts: 5 🌱

    @Ian.P.710 OAuth 2.0 uses redirect and opens the login screen. I created the service account but stuck on skipping this D2L login screen. Any suggestions? The app is in ASP.NET Core 6.

  • Tatiana.M.51
    Tatiana.M.51 Posts: 5 🌱

    @Ian.p.710 it kicks me out after an hour.

    I will try your suggestions for sure; thanks a lot!

    The "30 days" means that I have to re-login every month, correct?

  • Tatiana.M.51
    Tatiana.M.51 Posts: 5 🌱

    @Ian.P.710 Thanks a lot! very clear explanation. Really appreciated.