Community

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ben_hudson
Community Contributor

Default expiration date for access tokens?

Jump to solution

An issue has been brought to my attention by a staff member that a student who left our district in November 2017 was logging into our Canvas environment and sending messages to a teacher on March 03, 2018. I think i've discovered how this student was able to get in and i'm partially surprised that it worked but also partially confused. I'm hoping someone can provide me with some insight on the best way to resolve the issue.

When I review the students settings I see that he last accessed Canvas on November 16, 2017 using Canvas for iOS (District provided), and on March 4, 2018 using Canvas for Android (Personal). My guess is he was logged in on his Android device before he left our District and before we disabled his Active Directory account, which allowed the Access Token to be created. Since he's disabled in our Active Directory we have always assumed students would no longer be able to access Canvas but now we see this isn't the case. However i'm guessing the connection to his Android device has never been broken, hence why he can still access our system from it. We don't typically delete accounts from Canvas because if a student returns to us we want them to have access to all of their prior work.

I would like to know if I can modify the access tokens for any/all users Canvas for Android and/or Canvas for iOS through the API? Whether that be I delete them completely or set an expiration date, it doesn't really matter to me. An alternative would be if there is a way to automatically set an expiration date through an account setting somewhere? 

Labels (1)
Tags (2)
1 Solution

Accepted Solutions
ben_hudson
Community Contributor

I've continued my digging and stumbled across this wonderful idea https://community.canvaslms.com/ideas/10074-log-off-all-devices" modifiedtitle="true" title="Log Off... As with everything I was not the first to have this issue and as I can see from the idea it appears Canvas has no resolution.The idea is still open for voting so if this is something you're interested in I hope this pushes you to stop by the idea page and give it a Vote Up!

pklove‌ I've mentioned you here since Canvas alerted me you bookmarked this, figured you might be interested in my new discovery. 

Thanks,

Ben

View solution in original post

2 Replies
ben_hudson
Community Contributor

I've continued my digging and stumbled across this wonderful idea https://community.canvaslms.com/ideas/10074-log-off-all-devices" modifiedtitle="true" title="Log Off... As with everything I was not the first to have this issue and as I can see from the idea it appears Canvas has no resolution.The idea is still open for voting so if this is something you're interested in I hope this pushes you to stop by the idea page and give it a Vote Up!

pklove‌ I've mentioned you here since Canvas alerted me you bookmarked this, figured you might be interested in my new discovery. 

Thanks,

Ben

jpruden
Community Member

Hi Ben,

I've been yelling about this for years... but with the way that ideas work around this place, it may be another 4 years before we get any motion on this issue.

Looks like the only way we'll get any traction on this basic security issue is to ask our student bodies to up vote the issue. I tried some time ago, but it got squashed.

https://community.canvaslms.com/ideas/6628 

As a side note, you can request all tokens to get expired from your CSM. We have to do this twice yearly when passwords change, but I'm completely uncomfortable with student's grades being accessible from a device when their account has been expired in AD.

Ugh.

Welcome to the nightmare...

smiles,

Jamie