ID/Key auth Python assistance
Hello!
I’m implementing ID/Key authentication for a Python script and am running into a few issues I could use some help with. I know OAuth2.0 is the new standard, but for now I'm just trying to make simple API requests and I believe this route will suffice.
Issue 1: Redirect to 404 after login (no callback)
- My script opens auth at: /d2l/auth/api/token with parameters x_a (App ID), x_d (app signature HMAC of GET&/d2l/auth/api/token×tamp), x_t (timestamp), x_target (http://localhost:8080/callback)
- Login page shows the target correctly (Brightspace double-encodes the target as expected), but after login I’m redirected to https:///d2l/error/404 and my callback never receives a request
- Manually visiting /d2l/auth/api/token returns 404 unless parameters are provided (expected), but even with parameters the post-login flow still 404s
- App ID/Key and Trusted URL are correct; clock is in sync
Issue 2: 403 Invalid token when using API Test Tool’s user context
- As a workaround, I authenticated via the official API Test Tool and captured the returned x_a (App ID), x_b (User ID), x_c (User Key) values
- I placed x_b (user_id) and x_c (user_key) into my script, set host, and used the matching App ID/Key for that app
- My request signing for API calls is:
- app_sig = HMAC(App Key, "GET&&")
- user_sig = HMAC(User Key, "GET&&")
- Query params: x_a (App ID), x_b (User ID), x_c (user_sig), x_d (app_sig), x_t (timestamp)
- Calling /d2l/api/lp/1.53/users (and also tried with/without trailing slash) returns 403 Forbidden: Invalid token
- I also tried calling /d2l/api/lp/1.53/users/whoami first and still get 403
Questions
- For the ID/Key login flow to /d2l/auth/api/token, what would cause a 404 immediately after login instead of redirecting to x_target? Is there a required configuration, permission, or alternate auth path for some tenants?
- For the API call signing, are there tenant-specific requirements around:
- exact path string (with vs without trailing slash) used in the signature versus the request?
- using the User Key from the callback to compute x_c (user_sig) each request (not reusing the literal x_c returned)?
- Any known differences between the test tool’s flow (which uses x_b in the auth URL) versus the signature-based x_d/x_t flow that could explain the behavior?
Any guidance or pointers, or even drop-in python scripts of up-to-date ID/Key auth examples would be greatly appreciated. Thank you!
Comments
-
@Keegan.R.4563 I'm not familiar with using that format, just OAuth 2.0. I have created a very simple starter project that you could download and use from my GitHub that does use Python, on mac,(there is Windows instructions but they are untested) that authenticates in D2L and runs the whoami api call. From there you would be able to build just about anything locally including downloading files form DataHub. We use a similar setup. https://github.com/justinbamberg/python-d2l-authentication
-
That worked wonderfully, thank you so much! I'm surprised I hadn't found that yet, I've been looking all over github for this EXACT type of template!
-
@Keegan.R.4563 I'm glad that worked out. The reason why you didn't find it is because I uploaded it yesterday. I was sitting on it because my version has automation built in, but the authorization was there, I just needed to separate it first and your post was the driving point to getting it done.
