← 返回 Skills 市场

Canvas LMS IDP Auto Token Refresh

Name: Canvas LMS IDP Auto Token Refresh
Author: summers-tars

作者 TheSumSt · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install canvas-lms-idp-auto-refresh

功能描述

Automatically refresh Canvas LMS API tokens via institutional CAS/SAML IDP login using RSA-encrypted credentials and manage token lifecycle.

使用说明 (SKILL.md)

Canvas LMS — IDP Auto Token Refresh

Automate Canvas API token refresh by replaying institutional IDP login (CAS/SAML) with RSA-encrypted credentials.

How It Works

Entry URL → CAS/IDP (lck + authChainCode) → RSA encrypt password → authExecute
  → loginToken (JWT) → authnEngine → SSO ticket → Canvas session → create API token
  → (optional) delete old tokens by purpose → output NEW_TOKEN=xxx

The script handles the full IDP chain: cookie juggling, JavaScript-redirect handoff, CSRF extraction, and Canvas API token CRUD.

Quick Start

1. Install Dependencies

cd scripts/
python3 -m venv .venv
.venv/bin/pip install -r requirements.txt

Dependencies: requests, beautifulsoup4, pycryptodome, python-dotenv.

2. Configure Credentials

Copy .env.example to .env and fill in:

cp scripts/.env.example scripts/.env

Required fields:

ELEARNING_USERNAME — student/staff ID
ELEARNING_PASSWORD — password

Optional (defaults to Fudan eLearning):

ELEARNING_ENTRY_URL — CAS entry point
ELEARNING_IDP_BASE_URL — IDP base URL
ELEARNING_ENTITY_ID — SP entity ID
ELEARNING_TOKEN_PURPOSE — label for created tokens (default: "OpenClaw Auto Refresh Token")
ELEARNING_CLEANUP_OLD_TOKENS — auto-delete old tokens with same purpose (default: false)

3. Run

# Full flow: login → create token → cleanup old tokens
cd scripts && .venv/bin/python elearning_login.py --cleanup-old-tokens

# Debug mode (verbose HTTP logs + save debug artifacts)
cd scripts && .venv/bin/python elearning_login.py --debug --cleanup-old-tokens

# Dry-run: only test up to public key fetch (no login)
cd scripts && .venv/bin/python elearning_login.py --dry-run --debug

On success, the script prints NEW_TOKEN=\x3Ctoken_value> to stdout.

4. Integrate with Token Lazy-Loading

For agents that call Canvas API, implement a lazy-refresh pattern:

Read saved token from file
Validate with GET /api/v1/users/self — check HTTP status only (don't read body)
If 200 → use token
If 401 → run refresh script, capture NEW_TOKEN=, save to file, retry
If refresh also fails → alert user (password changed, CAPTCHA triggered, etc.)

Key rules:

Validate once per session, not on every API call
Only re-validate on explicit 401 responses
Don't log or expose raw token values
The refresh takes ~2-3 seconds, run silently

Security

.env contains credentials — never commit to git (.env is gitignored by default)
debug_output/ may contain session cookies and encrypted payloads — sanitize before sharing
The script uses PKCS1v1_5 RSA encryption for password transport (matching the IDP's JS frontend)
Tokens are created with a purpose label for lifecycle management
Old tokens with matching purpose can be auto-deleted to avoid accumulation

Known Limitations

Limitation	Impact	Mitigation
CAPTCHA/rate-limiting	Script cannot solve human verification	Alert user, manual intervention needed
MFA/2FA	Requires interactive flow not supported by `requests`	Not supported; alert user
IDP interface changes	JSON field names or HTML structure may change	Debug output (`--debug`) captures raw responses for diagnosis
Public key format changes	Script supports PEM, Base64-DER, modulus+exponent	If new format appears, extend `parse_public_key_payload()`

Troubleshooting

Run with --debug to save artifacts to debug_output/:

Symptom	Check
`未能从入口响应中解析到 lck`	`debug_output/entry_response.html` — look for `context_CAS_...`
`queryAuthMethods 未找到 userAndPwd`	`debug_output/query_auth_methods.json` — check `moduleCode` field
`未从 authExecute 提取到 loginToken`	`debug_output/auth_execute.json` — check `code`/`message`
`未拿到关键会话 Cookie`	Check `auth_execute.json` for errors, `authn_engine_response.html` for CAPTCHA
Token API returns 401/422	`debug_output/cookies.txt` for `_csrf_token` / `_normandy_session`
Cleanup fails	`debug_output/cleanup_summary.json` for `failed` entries

Adapting to Other Institutions

The IDP flow is based on a common CAS/SAML pattern used by many Chinese universities. To adapt:

Change URLs in .env: ELEARNING_ENTRY_URL, ELEARNING_IDP_BASE_URL, ELEARNING_ENTITY_ID
Test with --dry-run first to verify lck/authChainCode extraction
If IDP uses different auth methods: modify pick_auth_chain_code() in auth_session.py
If password encryption differs: modify encrypt_password_rsa() and parse_public_key_payload()

Tested with: Fudan University (id.fudan.edu.cn → elearning.fudan.edu.cn).

安全使用建议

This package implements the claimed Canvas IDP login and token lifecycle operations, but treat it as sensitive software before running: - Do not run with your primary/high-privilege account. Create a restricted test account if possible. - The script requires ELEARNING_USERNAME and ELEARNING_PASSWORD (set in .env or env vars). The registry metadata failing to declare these is an inconsistency — verify the skill source and author before supplying secrets. - Avoid running with --debug on shared systems; debug_output/ will contain cookies, CSRF tokens, encrypted payloads and other sensitive artifacts. If you must debug, inspect and securely delete artifacts afterward. - The script prints NEW_TOKEN to stdout; ensure whatever captures stdout (agent logs, CI logs) is secure and that you do not accidentally commit tokens or debug files to source control. - Review the bundled Python files yourself (they are included) and confirm endpoints (ELEARNING_ENTRY_URL, ELEARNING_IDP_BASE_URL, token API URL) are correct for your institution. Consider removing or sanitizing debug-dump calls before using in production. - Prefer native OAuth/OIDC flows or long-lived API tokens if available; this kind of credential replay is brittle (CAPTCHA, MFA) and carries risk. If you need higher assurance: ask the publisher for a homepage/source repo, confirm provenance, or run the code in an isolated environment (ephemeral VM/container) and test with a non-sensitive account. If the metadata cannot be corrected (declaring required env vars), treat that as a red flag and proceed cautiously.

功能分析

Type: OpenClaw Skill Name: canvas-lms-idp-auto-refresh Version: 1.0.0 The skill bundle is a legitimate automation tool designed to refresh Canvas LMS API tokens by simulating an institutional IDP (CAS/SAML) login flow, specifically targeting Fudan University's systems. The code implements a complex authentication chain involving RSA-encrypted password transport, JWT extraction, and session handling. It demonstrates good security practices, such as masking sensitive cookie values in debug logs and providing explicit instructions in SKILL.md for the AI agent to avoid logging raw tokens and to handle credentials via environment variables. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found; the logic is entirely consistent with its stated purpose.

能力标签

cryptorequires-oauth-tokenrequires-sensitive-credentials

能力评估

ℹ Purpose & Capability

The code and SKILL.md implement exactly what the name/description claim (replay institutional CAS/SAML login, RSA-encrypt password, create Canvas API token, optionally delete old tokens). Requested capabilities (username/password, session cookies, Canvas token CRUD) align with the stated purpose. However the registry metadata lists no required environment variables while the scripts and SKILL.md require ELEARNING_USERNAME and ELEARNING_PASSWORD — a clear metadata/instruction inconsistency.

⚠ Instruction Scope

Runtime instructions require creating a .env with username/password and running the packaged Python scripts. The scripts produce debug artifacts (entry_response.html, auth_execute.json, cookies.txt, create_token.json, etc.) which may contain session cookies, CSRF tokens, encrypted payloads and potentially raw token values. SKILL.md cautions about sanitizing debug files, but the default tooling writes these to disk and the script prints NEW_TOKEN to stdout — both are sensitive outputs that could be captured or leaked if run in shared environments.

ℹ Install Mechanism

There is no platform install spec, but SKILL.md instructs users to create a Python venv and pip install packages from PyPI (requests, beautifulsoup4, pycryptodome, python-dotenv). These are common libraries and the risk is moderate (network installs from PyPI). No downloads from unknown servers or obfuscated install steps are present.

⚠ Credentials

The script legitimately needs ELEARNING_USERNAME and ELEARNING_PASSWORD (and optional URL overrides) to perform IDP login. That is proportionate to the purpose. However the skill's registry metadata declares no required environment variables or primary credential, which is inconsistent and could mislead users into thinking no sensitive secrets are needed. The code also loads dotenv and will read environment variables at runtime.

✓ Persistence & Privilege

The skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide agent settings. It operates on provided credentials and the target Canvas/IDP endpoints only.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install canvas-lms-idp-auto-refresh
安装完成后，直接呼叫该 Skill 的名称或使用 /canvas-lms-idp-auto-refresh 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: automated Canvas API token refresh via institutional IDP (CAS/SAML) login with RSA encryption. Supports Fudan University, adaptable to other Chinese universities.

元数据

Slug canvas-lms-idp-auto-refresh

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题