In the Desire2Learn Valence API, is there a non-interactive authentication flow for server applications? The Valence documentation appears to assume that any authenticating application will be an interactive client process.
Asked
Active
Viewed 1,158 times
3 Answers
4
We actually accomplished this by non-interactively logging into the site. If you try this route, make sure to grab the d2lSecureSessionVal, d2lSessionVal, and Login cookies and add them to your subsequent requests.
Request 1: 1 > POST http{s}://elearning.test.masked.edu/d2l/lp/auth/login/login.d2l 1 > Content-Type: application/x-www-form-urlencoded userName={Your Username}&password={Your Password}
Response 1:
1 < Set-Cookie: LoginKey=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
1 < Set-Cookie: d2lSecureSessionVal=masked; path=/; HttpOnly <-- grab this
1 < Set-Cookie: Login=true; path=/ <-- grab this
1 < Set-Cookie: d2lSessionVal=masked; path=/ <-- grab this
Note that on this request, the target doesn't really matter much Request 2: 2 > GET http{s}://elearning.test.masked.edu:443/d2l/auth/api/token?x_a=ZNsxGYZuSmasked&x_b=7jkhCKfEmaked&x_target=https%3A%2F%2Fwww.maked.edu 2 > Cookie: d2lSecureSessionVal=masked; d2lSessionVal=masked; Login=true;
It will try to redirect you to the target site. Ignore the redirect, x_a is what you are really after.
Response 2:
2 < 302
2 < X-AspNet-Version: 2.0.50727
2 < Date: Tue, 09 Oct 2012 14:03:45 GMT
2 < Content-Length: 248
2 < X-XSS-Protection: 0
2 < Location: http{s}://www.masked.edu?x_a=DxHmasked&x_b=aQVkg-7jkhCKfEmaked&x_c=IfLBcKYFf8masked
2 < Set-Cookie: TS50cdf6=masked; Path=/
2 < Content-Type: text/html; charset=utf-8
2 < X-Powered-By: ASP.NET
2 < Cache-Control: private
2 <
Grab x_a from this response and use it as x_b in your requests
The first time is a bugger since there is a page that displays a check box to allow requests from a specific host. We just grabbed the auth token request and popped it in a browser. After checking the box to always allow, things work just fine.
Note also that the auth token will expire occasionally. Make sure you code for that and re-authenticate when it happens.
Thomas Lynema
- 89
- 8
-
It works well for one-offs. However, it is a bit dangerous for apps to play with the cookies and URLs. D2L could change the cookies strategy as it is no part of the controlled interface and if the side changes its login sequence or tech (Shib etc) you will end up seeing different pages – Cadmium Oct 12 '12 at 19:51
-
Agreed that it's possibly somewhat risky. We've been doing it since valence was included in D2L ___without a single issue___. If you choose to hard code the token, you will be in for a surprise when the token expires (which seems to happen after every upgrade). – Thomas Lynema Oct 12 '12 at 20:43
3
I used the getting started example code from the PHP example code, which shows you the userkeys in your browser after you log in, to get the keys for my "service account" that I created.
I then put these into a PHP class that I could reuse to make connections. So in my code, I can call
$authcontext = d2l::connect();
It really works like a charm.
Johnnygizmo
- 256
- 1
- 9
0
This is somewhat connected to the question located here:
Authenticaton Method for Desire2Learn REST API vs SOAP
Valence APIs do require that an interactive auth step has occurred, but, this can be done at "install time" for a non-interactive app. The result of that process are keys that can be used "for a long time".
For some version and service pack levels this was 30 days, but, can be made to "not expire". "Not expire" is the expected default going forward, but, if it is still set to 30 days on your instance you can make a support request to have it change.
