Instructure OneRoster Authentication Specifications

When configuring the Instructure OneRoster API integration, you must specify your system authorization method.

For OneRoster Implementation details, refer to IMS Global OneRoster v1.1 final specification documentation.

Note: OneRoster v1.2 will require OAuth 2.0 authorization.

Note: Instructure is a OneRoster Consumer. For OneRoster Consumer and Provider definitions, view the Introduction to OneRoster.

Supported Authentication Methods 

When configuring your Instructure OneRoster integration, you must specify the integration authorization method. Instructure supports both OAuth 2.0 and OAuth 1.0a authentication configurations.

If your institution opts to use OAuth 1.0a, prevent server sync issues by providing the following server timestamp flexibility: 10 min in the past; 5 min in the future.

If your institution opts to use OAuth 2.0, the access token request authorization header includes client credentials (consumer key and secret). Additionally, if your institution has pre-defined the authorization scope, it is built into the URL upon implementation.

Learn more about OneRoster 1.1 security configuration options.

Note: When running an API call, each concurrent thread requests its own token. If a new token is issued, do not invalidate previously generated tokens. 

Additional Resources