With Templafy add-ins version 188.8.131.527, a new way of authenticating users was introduced in order to reduce the loading time of the task pane in Office applications.
How does JWT work?
Every time a user logs in to Windows, Templafy Desktop starts and tries to do a Single Sign-On authentication (SSO) in the background. If this is successful, two JSON Web Tokens (JWT) are stored in Windows Credential Manager:
- The Templafy Desktop token is used to synchronize Office content, fonts, and updates to add-ins securely.
- Templafy Office add-ins are used to avoid full SSO login when starting Office apps.
The Windows Credential Manager is a safe storage that can only be accessed by a Windows user who is logged in, and not by other Windows admins on the same machine.
1. Templafy Desktop
Templafy Desktop will try to log in every day after midnight (load is distributed in the first hour after midnight). If the computer is asleep, it will try to do the SSO when the computer first resumes. The same pattern is used to check for updates to add-ins, offline content, fonts, and email signatures. If the background login is not successful, it will try again at the next login/midnight.
2. Templafy Office add-ins
If a user starts Office and there is a valid JWT, this is used to sign the user into Templafy, so a full SSO is avoided.
If there is not a valid JWT, then the Office app will do a full SSO login, requiring the user to wait for just a few seconds.
If this is successful, then the Office add-ins save the same two JWTs as Templafy Desktop, and they are valid for the next 24 hours. Templafy Desktop will still try to renew these after midnight, even if the login happened at 11 PM.
If the user has the Templafy task pane open in an Office application for 24 hours, then the first time that the user interacts with Templafy (i.e., clicks on a folder, or Templafy), it checks that the JWT is still valid by refreshing the WebApp in the Task Pane (F5 in a browser). When refreshing, the user will notice a 1-2 second delay as it checks for a valid JWT. If no valid JWT is found, then a full redirect will be done (3-10 seconds). In both situations, the task pane will remember the state.
Technically there is a 1-hour sliding window, so if a user is actively using Templafy when a JWT expires, a valid JWT is not checked for until the WebApp has been paused for 1 hour. This is controlled by the server, and may later be changed to a shorter length of time.
How to test it?
To test this, you can try to remove the Tokens from Windows Credential Manager by taking the following steps:
1. Search for ‘Credential Manager’ in the Windows Start menu.
2. Click on TemplafyDesktop and TemplafyOfficeAddIns, and select ‘remove’.
3. Next, either log out or log in to Windows or ‘Check for update’ in Templafy Desktop.
To test Office, you either need to close and open the application, or close and open the task pane.