I've been unable to find any mechanisms to enforce user-generated token policies such as expiration dates within Canvas, and have written a tool to fill in for some of these shortcomings.
It is intended to be run on a regular basis and performs the following actions:
- Identifies all user-generated tokens with no expiration date belonging to admins within an account and adds an expiration date.
- Can target admins in one account or go through all sub-accounts recursively.
- Optionally allows for shortening the expiration date for any tokens with an expiration date beyond a given time period.
- Allows supplying a list of users to exclude from this enforcement.
It is written in Python and uses both canvasapi and direct API calls for those endpoints not yet supported by canvasapi. It runs as a CLI application, pass -h or —help for the full list of options.
It looks like Canvas has a forthcoming feature to notify users by email when a token is expiring soon so you probably want to wait for that to go live before you start any kind of enforcement. You'll also want to be a full review of accounts with user-generated tokens before using this so you don't accidentally break any external tools (can use -x/—exclude to skip them.)
This is the first release so it's bound to have some bugs. I recommend testing it out in your beta/test environments first and any feedback /feature ideas / bugfix PRs are welcome. I've done a fair bit of testing but the typical no implied warranties, waiver of responsibility, etc. applies.
https://github.com/tonytoon/canvas-public
