You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
No way to change token expiration time window from the default 30 minutes.
This is despite the example flows and API documentation stating that the email stage's token_expiry property should be able to change the token expiry.
To Reproduce
Here is an example stage that demonstrates the issue.
resource"authentik_stage_email""email" {
name ="example-recovery-email"
use_global_settings =true
activate_user_on_success =true
token_expiry =60
subject ="Reset your ${var.organization_name} account!"
}
Deploy the above and integrate it into a recovery flow.
Try to issue a recovery email or generate a recovery link.
Check the authentik_core_token table. Notice that the expiration time is only 30 minutes in the future.
Expected behavior
The expiration time of tokens should match the configured token_expiry.
Version and Deployment (please complete the following information):
authentik version: 2024.4.2
Deployment: helm
Additional Context:
It seems weird that token_expiry is on the stage rather than the flow, especially since we can generate recovery links without emails. Perhaps this is just an old property that needs to be deleted? If so, it would be ideal to be able to set expiration windows on recovery links via some other mechanism.
The text was updated successfully, but these errors were encountered:
From quickly looking through the code I can see how this would happen if the token expires and is rotated (when the token is rotated we currently default to the default expiry value which is 30 minutes)
While I could be confusing terms, I believe the issue we have found is specifically with token creation during the recovery flows.
In other words:
No token / active recovery flow exists for the user
Click create recovery link / send recovery email for the user
Notice that the new token is created in the authentik_core_token table but that it will always have an expiration time 30 minutes in the future regardless of the token_expiry setting.
Validate that after 30 minutes the reset links do not work.
Describe the bug
No way to change token expiration time window from the default 30 minutes.
This is despite the example flows and API documentation stating that the email stage's
token_expiry
property should be able to change the token expiry.To Reproduce
Here is an example stage that demonstrates the issue.
authentik_core_token
table. Notice that the expiration time is only 30 minutes in the future.Expected behavior
The expiration time of tokens should match the configured
token_expiry
.Version and Deployment (please complete the following information):
Additional Context:
It seems weird that
token_expiry
is on the stage rather than the flow, especially since we can generate recovery links without emails. Perhaps this is just an old property that needs to be deleted? If so, it would be ideal to be able to set expiration windows on recovery links via some other mechanism.The text was updated successfully, but these errors were encountered: