Service-to-service authentication?

We want to automate some processes using the Brightspace API, without the need for a human to log in (because the automation process will be running on a server).

Does Brightspace have a process for service-to-service (S2S) authentication? To reiterate, we need to integrate with Brightspace's API without user interaction, using something like the client credentials OAuth 2.0 flow.

I can authenticate and get an access token if I log in as a user, but I can't find any documentation on how to authenticate machine-to-machine.

Thanks,
Richard

Tagged:

Answers

  • Chris.S.534
    Chris.S.534 Posts: 379
    edited August 2023

    Hi Richard,

    Currently all applications using the Valence APIs require explicit user consent to make API calls and therefore can only use the three legged workflow requiring a Brightspace user to log in.

    However we do support a “service user pattern” for application integrations that are intended to be administrative scripts, middleware development and so forth:

    1. Create a service user/role combination to associate with your application that has the permissions the application/script needs.
    2. Login manually as this user to go through the workflow to be able to provision the application/script with credentials; the credentials need to be stored securely for/with your application.
    3. For OAuth2: the credentials in step 2 will come with a short-lived access token and a longer-lived refresh token (one use); the app will then need to be designed to, on a regular basis, use the refresh token workflow to ask for a new access token and refresh token combo — unlike the step 2 request, the refresh token workflow can be done directly with Auth service and needs no user in between. The initial access token request is three legged and returns an access token and one-use refresh token; the refresh token workflow is two legged and trades that refresh token directly in for another access token and one-use refresh token.

    This is also covered in the following resource, https://community.brightspace.com/s/article/How-to-get-started-with-OAuth-2-0 related resources are also available from the linked resource.

    Hope that helps!

  • Richard.R.305
    Richard.R.305 Posts: 20 🌱

    Hi @Chris.S.534

    Thanks for your reply! I implemented this approach the other day, but it appeared that the refresh token expired overnight (without ever being used to retrieve an access token). Maybe I was wrong.

    If a one-use refresh token is not used for, say, a weekend, does it expire?

    Thanks,

    Richard

  • Chris.S.534
    Chris.S.534 Posts: 379
    edited August 2023

    Hi Richard,
    Apologies for the delayed response, the typical recommendation is, depending on the refresh workflow and if your application runs periodically, is to have a way of “keeping itself alive” by ensuring it does the refresh token workflow before the expiry time hits.

    The access tokens are short-lived and can be reused until they expire (minutes/hours), the refresh tokens are long lived but single use (days/weeks). See https://docs.valence.desire2learn.com/basic/oauth2.html#registering-using-oauth-2-0

    Hope that helps!

  • Jasmine.J.394
    Jasmine.J.394 Posts: 5 🌱

    Hiya,

    So, would the user need to re-authorize every time the refresh token expires?

  • Mike.S.974
    Mike.S.974 Posts: 5 🌱

    Hi Jasmine,

    No, you don't need to re-authorize. Just use the new refresh token after every refresh, you can only use the refresh token once.