AnsweredAssumed Answered

Default expiration date for access tokens?

Question asked by Ben Hudson on Mar 14, 2018
Latest reply on Mar 26, 2019 by Jamie Pruden

An issue has been brought to my attention by a staff member that a student who left our district in November 2017 was logging into our Canvas environment and sending messages to a teacher on March 03, 2018. I think i've discovered how this student was able to get in and i'm partially surprised that it worked but also partially confused. I'm hoping someone can provide me with some insight on the best way to resolve the issue.


When I review the students settings I see that he last accessed Canvas on November 16, 2017 using Canvas for iOS (District provided), and on March 4, 2018 using Canvas for Android (Personal). My guess is he was logged in on his Android device before he left our District and before we disabled his Active Directory account, which allowed the Access Token to be created. Since he's disabled in our Active Directory we have always assumed students would no longer be able to access Canvas but now we see this isn't the case. However i'm guessing the connection to his Android device has never been broken, hence why he can still access our system from it. We don't typically delete accounts from Canvas because if a student returns to us we want them to have access to all of their prior work.


I would like to know if I can modify the access tokens for any/all users Canvas for Android and/or Canvas for iOS through the API? Whether that be I delete them completely or set an expiration date, it doesn't really matter to me. An alternative would be if there is a way to automatically set an expiration date through an account setting somewhere?