Right now we always reauthenticate (exchange an oauth token for a session token) when we load an HTML block. This is because we have no way of knowing if a request failed (see https://openedx.atlassian.net/browse/MA-1006). We should improve this by:
1. Only refresh the token if we haven't recently (say the last hour).
2. In case we are on API 23, instead, use the new WebViewClient method that provides an HTTP status code and check that for a 4xx error. If we encounter an error, only then, try to authenticate. (P2 - refile as separate ticket if needed)
To validate on a sandbox:
view an assessment in the webview
restart memcache on the server (sudo service memcached restart)
should be able to view the assessment in the webview - without needing to log in.