Open fullykubed opened 4 months ago
Additional info: Does not matter whether use_global_settings
is true
or false
.
From quickly looking through the code I can see how this would happen if the token expires and is rotated (when the token is rotated we currently default to the default expiry value which is 30 minutes)
While I could be confusing terms, I believe the issue we have found is specifically with token creation during the recovery flows.
In other words:
authentik_core_token
table but that it will always have an expiration time 30 minutes in the future regardless of the token_expiry
setting.This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Still an issue.
I think the problem is that the recovery tokens are created differently from the admin interface/ via the API than they are during flow execution.
The API does not set any expiration time so it will always use the default of 30 minutes. Maybe the API call should check for an email stage in the recovery flow and use the setting from there? At least the recovery_email endpoint gets an email stage passed directly and could use the expiry_token value from that.
During flow execution the token is created with the token_expiry setting from the stage. https://github.com/goauthentik/authentik/blob/b0507d20635ee6d9f8fa0553f97bdb307561f51a/authentik/stages/email/stage.py#L83-L89
I experienced this via both the links generated from the admin UI and the tokens included in the email link (which I assume are a part of the flow).
Perhaps the flow component has been addressed in a recent release?
Describe the bug
No way to change token expiration time window from the default 30 minutes.
This is despite the example flows and API documentation stating that the email stage's
token_expiry
property should be able to change the token expiry.To Reproduce
Here is an example stage that demonstrates the issue.
authentik_core_token
table. Notice that the expiration time is only 30 minutes in the future.Expected behavior
The expiration time of tokens should match the configured
token_expiry
.Version and Deployment (please complete the following information):
Additional Context:
It seems weird that
token_expiry
is on the stage rather than the flow, especially since we can generate recovery links without emails. Perhaps this is just an old property that needs to be deleted? If so, it would be ideal to be able to set expiration windows on recovery links via some other mechanism.