Since Templafy add-ins version 18.104.22.1687 and higher, a new way of authenticating users was introduced in order to reduce the loading time of the task pane in Office applications.
How does JWT work?
Every time a user logs in to Windows, Templafy Desktop starts and tries to do a Single Sign-On authentication (SSO) in the background. If this is successful, two JSON Web Tokens (JWT) are stored in Windows Credential Manager:
- The Templafy Desktop token is used to synchronize offline content, fonts, and updates to add-ins securely.
- Templafy Office add-in token is used to avoid full SSO login when starting Office apps.
The Windows Credential Manager is a safe storage that can only be accessed by a Windows user who is logged in, and not by other Windows admins on the same machine.
1. Templafy Desktop
Templafy Desktop will try to log in every startup and reauthenticates after midnight, if the process is still running (load is distributed in the first hour after midnight). If the computer is shut down or hibernating or sleeping, it will try to do the SSO when the computer first starts/resumes. The same pattern is used to check for updates to add-ins, offline content, fonts. If the background login is not successful, it will try again at the next login/midnight.
The token that Templafy Desktop uses to fetch packages, fonts and offline content is valid for 30 days. After that period, the JWT expires and users would need to re-authenticate.
2. Templafy Office add-ins
If a user starts Office and there is a valid JWT, this is used to sign the user into Templafy, so a full SSO is avoided.
If there is not a valid JWT, then the Office app will do a full SSO login, requiring the user to wait for just a few seconds.
If this is successful, then the Office add-ins save the JWT. The JWT is valid for the next 24 hours. Templafy Desktop will still try to renew the tokens after midnight, even if the login happened at 11 PM.
If the user has the Templafy task pane open in an Office application for 24 hours, then the first time that the user interacts with Templafy (i.e., clicks on a folder, or Templafy), it checks that the JWT is still valid by refreshing the WebApp in the Task Pane (F5 in a browser). When refreshing, the user will notice a 1-2 second delay as it checks for a valid JWT. If no valid JWT is found, then a full redirect will be done (3-10 seconds). In both situations, the task pane will remember the state.
Technically there is a 1-hour sliding window, so if a user is actively using Templafy when a JWT expires, a valid JWT is not checked for until the WebApp has been paused for 1 hour. This is controlled by the server, and may later be changed to a shorter length of time.