← 返回
未分类

Canvas LMS IDP Auto Token Refresh

Automatically refresh Canvas LMS API tokens via institutional CAS/SAML IDP login using RSA-encrypted credentials and manage token lifecycle.
通过机构CAS/SAML IDP登录并使用RSA加密凭证,自动刷新Canvas LMS API令牌并管理其生命周期。
summers-tars summers-tars 来源
未分类 clawhub v1.0.0 1 版本 100000 Key: 无需
★ 0
Stars
📥 340
下载
💾 0
安装
1
版本
#latest

概述

Canvas LMS — IDP Auto Token Refresh

Automate Canvas API token refresh by replaying institutional IDP login (CAS/SAML) with RSA-encrypted credentials.

How It Works

Entry URL → CAS/IDP (lck + authChainCode) → RSA encrypt password → authExecute
  → loginToken (JWT) → authnEngine → SSO ticket → Canvas session → create API token
  → (optional) delete old tokens by purpose → output NEW_TOKEN=xxx

The script handles the full IDP chain: cookie juggling, JavaScript-redirect handoff, CSRF extraction, and Canvas API token CRUD.

Quick Start

1. Install Dependencies

cd scripts/
python3 -m venv .venv
.venv/bin/pip install -r requirements.txt

Dependencies: requests, beautifulsoup4, pycryptodome, python-dotenv.

2. Configure Credentials

Copy .env.example to .env and fill in:

cp scripts/.env.example scripts/.env

Required fields:

  • ELEARNING_USERNAME — student/staff ID
  • ELEARNING_PASSWORD — password

Optional (defaults to Fudan eLearning):

  • ELEARNING_ENTRY_URL — CAS entry point
  • ELEARNING_IDP_BASE_URL — IDP base URL
  • ELEARNING_ENTITY_ID — SP entity ID
  • ELEARNING_TOKEN_PURPOSE — label for created tokens (default: "OpenClaw Auto Refresh Token")
  • ELEARNING_CLEANUP_OLD_TOKENS — auto-delete old tokens with same purpose (default: false)

3. Run

# Full flow: login → create token → cleanup old tokens
cd scripts && .venv/bin/python elearning_login.py --cleanup-old-tokens

# Debug mode (verbose HTTP logs + save debug artifacts)
cd scripts && .venv/bin/python elearning_login.py --debug --cleanup-old-tokens

# Dry-run: only test up to public key fetch (no login)
cd scripts && .venv/bin/python elearning_login.py --dry-run --debug

On success, the script prints NEW_TOKEN= to stdout.

4. Integrate with Token Lazy-Loading

For agents that call Canvas API, implement a lazy-refresh pattern:

  1. Read saved token from file
  2. Validate with GET /api/v1/users/self — check HTTP status only (don't read body)
  3. If 200 → use token
  4. If 401 → run refresh script, capture NEW_TOKEN=, save to file, retry
  5. If refresh also fails → alert user (password changed, CAPTCHA triggered, etc.)

Key rules:

  • Validate once per session, not on every API call
  • Only re-validate on explicit 401 responses
  • Don't log or expose raw token values
  • The refresh takes ~2-3 seconds, run silently

Security

  • .env contains credentials — never commit to git (.env is gitignored by default)
  • debug_output/ may contain session cookies and encrypted payloads — sanitize before sharing
  • The script uses PKCS1v1_5 RSA encryption for password transport (matching the IDP's JS frontend)
  • Tokens are created with a purpose label for lifecycle management
  • Old tokens with matching purpose can be auto-deleted to avoid accumulation

Known Limitations

LimitationImpactMitigation
---------
CAPTCHA/rate-limitingScript cannot solve human verificationAlert user, manual intervention needed
MFA/2FARequires interactive flow not supported by requestsNot supported; alert user
IDP interface changesJSON field names or HTML structure may changeDebug output (--debug) captures raw responses for diagnosis
Public key format changesScript supports PEM, Base64-DER, modulus+exponentIf new format appears, extend parse_public_key_payload()

Troubleshooting

Run with --debug to save artifacts to debug_output/:

SymptomCheck
------
未能从入口响应中解析到 lckdebug_output/entry_response.html — look for context_CAS_...
queryAuthMethods 未找到 userAndPwddebug_output/query_auth_methods.json — check moduleCode field
未从 authExecute 提取到 loginTokendebug_output/auth_execute.json — check code/message
未拿到关键会话 CookieCheck auth_execute.json for errors, authn_engine_response.html for CAPTCHA
Token API returns 401/422debug_output/cookies.txt for _csrf_token / _normandy_session
Cleanup failsdebug_output/cleanup_summary.json for failed entries

Adapting to Other Institutions

The IDP flow is based on a common CAS/SAML pattern used by many Chinese universities. To adapt:

  1. Change URLs in .env: ELEARNING_ENTRY_URL, ELEARNING_IDP_BASE_URL, ELEARNING_ENTITY_ID
  2. Test with --dry-run first to verify lck/authChainCode extraction
  3. If IDP uses different auth methods: modify pick_auth_chain_code() in auth_session.py
  4. If password encryption differs: modify encrypt_password_rsa() and parse_public_key_payload()

Tested with: Fudan University (id.fudan.edu.cn → elearning.fudan.edu.cn).

版本历史

共 1 个版本

  • v1.0.0 当前
    2026-05-07 14:08 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

dev-programming

CodeConductor.ai

larsonreever
AI驱动平台,提供快速全栈开发、智能体、工作流自动化及低代码AI集成的可扩展产品创建。
★ 81 📥 182,986
dev-programming

Github

steipete
使用 `gh` CLI 与 GitHub 交互,通过 `gh issue`、`gh pr`、`gh run` 和 `gh api` 管理议题、PR、CI 运行及高级查询。
★ 686 📥 330,915
dev-programming

Mcporter

steipete
使用 mcporter CLI 直接列出、配置、认证及调用 MCP 服务器/工具(支持 HTTP 或 stdio),涵盖临时服务器、配置编辑及 CLI/类型生成功能。
★ 198 📥 68,199