Always Learning


This use case describes the step-by-step process to submit an API request using the OAuth 2.0-Assertion protocol.

Libraries & Sample Code

Reading the documentation is wise to better understand how to create a signature and use it in a request. To make implementation easier, we have the LearningStudio Libraries that can generate a signature for a request, and even fire the request handling authentication behind the scenes. If you want to roll your own code, check out the OAuth 2 sample code for working examples.

Build and Submit Sequence

Click the link to open the referenced content.

Step Notes

1. If necessary, the application looks up the Educational Partner username for the user using the OAuth 1.0a protocol. If application knows the username, skip this step.

Submit API Request Using OAuth 1.0a

GET /users/{userId}


GET /courses/{courseIdentification}/roster/{userIdentification}

Application must have a valid application ID and Educational Partner credentials.

2. Application builds the pipe-delimited assertion.

OAuth 2.0-Assertion and Signature - Assertion Syntax

The application must have a valid application ID, the Educational Partner client string, and the Educational Partner consumer key.

3. Application creates the assertion signature.

OAuth 2.0-Assertion and Signature - Creation Assertion Signature


  a. Encrypt the assertion using the CMAC-AES process.


  b. Hex-encode the encrypted value using the process appropriate to the application language.

4. Application appends the final signature value to the assertion to create the signed assertion.

OAuth 2.0-Assertion and Signature - Signed Assertion Syntax

5. Application builds the request body using the assertion string and requests the access token for the user.

POST /token

6. Application saves the access token that was returned in the response body. It also starts tracking how much time is left until the access token expires.

7. Application adds the access token to either the X-Authorization or the Cookie parameter in the request header for all subsequent API requests made for the user.

Using OAuth 2.0 Authorization Tokens

8. When the access token is due to expire, application repeats steps 2 through 7 to request a new access token.

9. Application can repeat steps 2 through 8 as many times as necessary to support the user in the current application session. Be sure to use only the latest access token.

7224 reads
Always Learning