Question

Short-lived tokens after October

  • 8 September 2021
  • 1 reply
  • 32 views

Userlevel 1

Hi everyone,

in august product update notification we can find an update to the timespan for SSO tokens generated to grant authentication for users logged in a third party service, as we do have.

When you need to create a token to grant that authorisation, though, there are actually TWO tokens:

  1. First, you need an admin login to be allowed to make the API call for the user’s login (first token)
  2. Then you create the token used in the URL to make the user login (second token).

Which token will be impacted by the change?

Thank you to those who can help me.


1 reply

Userlevel 1

Hello,

the short-lived token change is affecting only out-of-the-box SSO integrations, such as SAML, OpenId Connect, Auth0.
If you are using an OAuth2 token generated via an API call (or JWT authentication), this process will not be affected.

Each Single-Sign-On has a slightly different process, but in the end all of them return a link to the LMS with the short lived token in the URL.
The LMS automatically and internally, using POST calls, exchanges it for the real access token, increasing security but without changing the overall behavior of the Single-Sign-On.

Reply