API authentication without logging into Brightspace via browser
We are looking to use Java to automate a job to export data from Brightspace using the Brightspace Data Sets in the Data Hub for analysis and reporting but the OAuth 2.0 authentication steps require us to login to Brightspace within an internet browser. We would like to know if it is possible to make REST API calls from Java directly to Brightspace without requiring the SSO login. How are other schools authenticating to use the valence APIs? Is it possible to bypass the "login to browser" step? I submitted a D2L support case and was told there is no way around this. This is a roadblock for us at this point.
Answers
-
Hi Kim,
I use the User ID-key authentication method, and then use the key tool to generate and display the user ID and key for a specific app, and then store them as environment variables on our server. As long as you do not change the password on the account that you're using, the user ID and key remains the same, so I would recommend creating an account in D2L for no other purpose to ensure there isn't a reason to reset it. So in this setup, you only need to login through the browser the very first time to generate the user ID and key.
Jason
-
@Jason.W.277 and @Kim.B.954 , a problem I have had to work around is that our regular login URL redirects to our SAML identity provider. The special d2l-only account for the app will not be in the SIS, so I need to inject a no-redirect URL into the process.
-
@Renee.J.194 and @Jason.W.277 thanks for the feedback! We ran into the same issue with having to find a work around for the no-redirect URL.
-
Hello, so when getting an initial token that is correct you must validate VIA browser but after getting an initial token you can use that token until it expires. Once it is expired you can use your refresh token to get a new access token. The SSO authentication will only be used for the initial process. However, if this discussion post is in regards to postman having an SSO error (I had the same error) you can get new access tokens through OAuth2.0 client shell mentioned in this community post https://community.d2l.com/brightspace/kb/articles/1196-how-to-obtain-an-oauth-2-0-refresh-token
-
@Jason.W.277 are you able to login through the browser via the no-redirect URL using User ID-key auth or were you forced to login via SSO?
-
I'm looking for an alternative also, none of the machines we have that will be using the APIs even have a desktop environment to open a browser from.
-
Hi Kim,
At our college we have a specific account for web services calls. Then we registered an OAuth 2.0 application in Admin Cog > Manage Extensibility > OAuth 2.0. Then in a browser we go to
https://auth.brightspace.com/oauth2/auth?response_type=code&client_id=CLIENT_ID_HERE&scope=SCOPE_HERE&redirect_uri=REDIRECT_URI_HERE
Then sign in as the dedicated web services account. You will then be redirected to the redirect_uri and given an authorization code.
You can then make a post request to
https://auth.brightspace.com/core/connect/token
With the following in the body:
grant_type: authorization_code
redirect_uri: REDIRECT_URI_FROM_PREVIOUS_CALL
code: AUTHORIZATION_CODE
EDIT: The client id and client secret need to be in an Authorization header as a base64 encoded ("client_id:client_secret") token, Basic Auth
"Authorization: Basic [base64_encoded_string]"With that call you will get a refresh token and an access token. We have a django server dedicated for this that makes a call to refresh the access token every hour. This way we do not have to re-authenticate with the account password. We have been running for months like this and have not had to log back in.
Call to refresh token:
POST request to:
https://auth.brightspace.com/core/connect/token
grant_type: refresh_token
refresh_token: REFRESH_TOKEN
scope: SCOPE_HERE
EDIT: The client id and client secret need to be in an Authorization header as a base64 encoded ("client_id:client_secret") Bearer token, Basic Auth
"Authorization: Basic [base64_encoded_string]"I'm happy to help and give more specifics on our set up. Hope this helps!
Alison Figueira, Marist College
-
We use ID Key Authorization to call APIs to download data hub data sets for report analysis. It's the same process as yours. We also use Java. It works very well.