About
Within Templafy we use three JWT tokens: the Templafy Desktop Refresh Token, the Add-ins Refresh Token, and the Access Token, to manage the authentication and authorization into Templafy.
How does JWT work?
Every time a user logs in to Windows, Templafy Desktop starts and tries to perform a login in the background.
If this is successful, JSON Web Tokens (JWT) are stored (encrypted) in the windows registry.
The encryption/decryption key is stored in Windows Credential Manager. Windows Credential Manager is a safe storage that can only be accessed by a Windows user for whom the credential was created, while they are logged in, and not by other Windows admins on the same machine.
Refresh Tokens
As of Templafy Desktop Client version 3.4.75, there are 2 refresh tokens issued by Templafy Desktop Client.
-
Templafy Desktop Refresh Token - used to synchronize updates to add-ins securely.
- Lifetime - 30 days.
-
Add-ins Refresh Token - used to access relevant content.
- Lifetime - for SSO protocols, token lifetime is based on the Session Duration configured in Templafy Admin Center (set to 24 hours by default). Email Authentication tokens have a lifetime of 14 days.
RefreshKey
Additionally, a RefreshKey is stored in Global Registry to validate the refresh tokens. This offers
Templafy the option to invalidate the refresh tokens by deleting the RefreshKey if necessary.
Access Token
The Access Token is part of the authorization flow, granting the user access to the Templafy tenant.
The Access Token has a lifetime of 5 minutes and will automatically be re-issued when accessing restricted resources.
When are Tokens Renewed?
Templafy Desktop Refresh Token
Templafy Desktop will try to log in at every start-up and attempt to reauthenticate after midnight, if the
process is still running (load is distributed in the first hour after midnight).
If the computer is shut down, hibernating, or sleeping, it will try to renew the token when the computer first starts/resumes. The same pattern is used to check for updates to add-ins.
A pop-up will appear from Templafy Desktop every time the refresh token is reset, noting Update Completed Successfully
, if the Show notifications
setting is enabled.
Add-ins Refresh Token
If a user starts Office and there is a valid refresh token, this is used to authenticate the user to
Templafy, so a full login is avoided.
If there is not a valid refresh token, then the Office app will do a full login.
After a successful login, the Office add-ins save the refresh token.
Comments
0 comments
Article is closed for comments.