Desire2Learn Valence API non-interactive authentication

Question

In the Desire2Learn Valence API, is there a non-interactive authentication flow for server applications? The Valence documentation appears to assume that any authenticating application will be an interactive client process.

Answer 1

We actually accomplished this by non-interactively logging into the site. If you try this route, make sure to grab the d2lSecureSessionVal, d2lSessionVal, and Login cookies and add them to your subsequent requests.

Request 1: 1 > POST http{s}://elearning.test.masked.edu/d2l/lp/auth/login/login.d2l 1 > Content-Type: application/x-www-form-urlencoded userName={Your Username}&password={Your Password}

Response 1:

1 < Set-Cookie: LoginKey=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
1 < Set-Cookie: d2lSecureSessionVal=masked; path=/; HttpOnly  <-- grab this
1 < Set-Cookie: Login=true; path=/   <-- grab this
1 < Set-Cookie: d2lSessionVal=masked; path=/   <-- grab this

Note that on this request, the target doesn't really matter much Request 2: 2 > GET http{s}://elearning.test.masked.edu:443/d2l/auth/api/token?x_a=ZNsxGYZuSmasked&x_b=7jkhCKfEmaked&x_target=https%3A%2F%2Fwww.maked.edu 2 > Cookie: d2lSecureSessionVal=masked; d2lSessionVal=masked; Login=true;

It will try to redirect you to the target site. Ignore the redirect, x_a is what you are really after.

Response 2:

2 < 302
2 < X-AspNet-Version: 2.0.50727
2 < Date: Tue, 09 Oct 2012 14:03:45 GMT
2 < Content-Length: 248
2 < X-XSS-Protection: 0
2 < Location: http{s}://www.masked.edu?x_a=DxHmasked&x_b=aQVkg-7jkhCKfEmaked&x_c=IfLBcKYFf8masked
2 < Set-Cookie: TS50cdf6=masked; Path=/
2 < Content-Type: text/html; charset=utf-8
2 < X-Powered-By: ASP.NET
2 < Cache-Control: private
2 < 

Grab x_a from this response and use it as x_b in your requests

The first time is a bugger since there is a page that displays a check box to allow requests from a specific host. We just grabbed the auth token request and popped it in a browser. After checking the box to always allow, things work just fine.

Note also that the auth token will expire occasionally. Make sure you code for that and re-authenticate when it happens.

Answer 2

I used the getting started example code from the PHP example code, which shows you the userkeys in your browser after you log in, to get the keys for my "service account" that I created.

I then put these into a PHP class that I could reuse to make connections. So in my code, I can call

$authcontext = d2l::connect();

It really works like a charm.

Answer 3

This is somewhat connected to the question located here:

Authenticaton Method for Desire2Learn REST API vs SOAP

Valence APIs do require that an interactive auth step has occurred, but, this can be done at "install time" for a non-interactive app. The result of that process are keys that can be used "for a long time".

For some version and service pack levels this was 30 days, but, can be made to "not expire". "Not expire" is the expected default going forward, but, if it is still set to 30 days on your instance you can make a support request to have it change.