lms
lms copied to clipboard
hypothesis
Increase timeout of authentication JWT
When responding to an LTI launch our backend code renders an authentication JWT into the HTML that the page's frontend code can use to authenticate itself as the LTI user who sent the launch, when the page sends requests to our server (for example: XHR requests to our Canvas proxy API).
Currently these JWT's expire after one hour and a page containing an expired JWT misbehaves, see:
Confusing behavior when our page's JWT has expired
Although we could improve on the existing behavior when the page's JWT has expired, the best we're going to be able to do is a "You must reload the page" error message. So we should also increase the lifetime of the JWT so that this happens more rarely.
How long should the JWT live for?
The current lifetime of one hour was chosen because Canvas access tokens last for one hour. But that's not an appropriate analogy -- access tokens come with refresh tokens that, as far as I know, last forever.
Some examples to consider:
- How long do the access tokens we grant to eLife page's last for? (How long can you leave an eLife page open before the Hypothesis client breaks?)
- How long do Pyramid session cookies last for by default?
- h session cookies?
