[Permissions] Implement or extend permissions to limit users creation of tokens and enforce token expiry date

Status: Completed Submitted by on ‎07-04-2023 06:25 PM
Problem statement:

Currently, any user can go to https://yourcanvasinstance/profile/settings and click on "New Access Token" to create a new token. Allowing everybody to create their own token is a possible security risk and could be against institution policies; as such it should be driven by configurable setting/permission.

Proposed solution:

Token creation and duration should be driven by configurable setting/permission:

  • Setting 1: Allow users to create "self service" tokens via "New Access Token", yes/no.
    • Ideally this is a permission and is associated to each role.
  • Setting 2: Enforce max token duration, where the duration is defined as a number of days.
    • This would force users to create tokens with an expiry date. System Admins could bypass this limitation.

Also, the "Regenerate Token" function should be fixed; if you "Regenerate" an expired token, this will not work and you have anyway to create a new one.

One of the 2:

  • Hide the "Regenerate Token" button for expired tokens
  • Allow users to chose the new expiry date for the token in the "Regenerate" process
User role(s):

instructor,student,ta,designer,observer

Theme
2 Comments
RyanNorton
Instructure
Instructure
‎10-18-2024 10:40 AM

I'm happy to report that as of 9/21/24 we have introduced Limiting Access Token Generation!  You can see the details of the this feature in our 21 September release notes.  This feature works with and respects the expiration date settings as seen when creating an access token.

jperkins
Instructure
Instructure
‎10-18-2024 10:47 AM
Status changed to: Completed