From 916530f0d8c4f3ed5343fe113afadd7ba9eecc93 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 15 Sep 2021 17:14:53 +0200
Subject: [PATCH] providers/oauth2: use access_code_validity for id_tokens
 generated when using an implicit flow, improve wording in web ui

closes #1369

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 .../providers/oauth2/tests/test_authorize.py  |  2 +-
 authentik/providers/oauth2/views/authorize.py |  2 +-
 web/src/locales/en.po                         | 22 ++++++++++++++-----
 web/src/locales/pseudo-LOCALE.po              | 20 +++++++++++++----
 .../providers/oauth2/OAuth2ProviderForm.ts    |  7 ++++--
 5 files changed, 40 insertions(+), 13 deletions(-)

diff --git a/authentik/providers/oauth2/tests/test_authorize.py b/authentik/providers/oauth2/tests/test_authorize.py
index 4172486b5..cbf4d0978 100644
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@@ -247,7 +247,7 @@ class TestAuthorize(OAuthTestCase):
                 "to": (
                     f"http://localhost#access_token={token.access_token}"
                     f"&id_token={provider.encode(token.id_token.to_dict())}&token_type=bearer"
-                    f"&expires_in=2592000&state={state}"
+                    f"&expires_in=60&state={state}"
                 ),
             },
         )
diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py
index 226ac4e68..f451fe5ee 100644
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@@ -367,7 +367,7 @@ class OAuthFulfillmentStage(StageView):
 
         query_fragment["token_type"] = "bearer"
         query_fragment["expires_in"] = int(
-            timedelta_from_string(self.provider.token_validity).total_seconds()
+            timedelta_from_string(self.provider.access_code_validity).total_seconds()
         )
         query_fragment["state"] = self.params.state if self.params.state else ""
 
diff --git a/web/src/locales/en.po b/web/src/locales/en.po
index f4f59d101..8c1dd3189 100644
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -88,14 +88,18 @@ msgstr "API request failed"
 msgid "Access Key"
 msgstr "Access Key"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Access code validity"
-msgstr "Access code validity"
+#: 
+#~ msgid "Access code validity"
+#~ msgstr "Access code validity"
 
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 msgid "Access token URL"
 msgstr "Access token URL"
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "Access token validity"
+msgstr "Access token validity"
+
 #: src/elements/events/ObjectChangelog.ts
 #: src/elements/events/UserEvents.ts
 #: src/pages/events/EventListPage.ts
@@ -787,9 +791,13 @@ msgstr "Configuration stage"
 msgid "Configure WebAuthn"
 msgstr "Configure WebAuthn"
 
+#: 
+#~ msgid "Configure how long access codes are valid for."
+#~ msgstr "Configure how long access codes are valid for."
+
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Configure how long access codes are valid for."
-msgstr "Configure how long access codes are valid for."
+msgid "Configure how long access tokens are valid for."
+msgstr "Configure how long access tokens are valid for."
 
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Configure how long refresh tokens and their id_tokens are valid for."
@@ -2057,6 +2065,10 @@ msgstr "If this flag is set, this Stage will jump to the next Stage when no Invi
 msgid "If this is selected, the token will expire. Upon expiration, the token will be rotated."
 msgstr "If this is selected, the token will expire. Upon expiration, the token will be rotated."
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "If you are using an Implicit, client-side flow (where the token-endpoint isn't used), you probably want to increase this time."
+msgstr "If you are using an Implicit, client-side flow (where the token-endpoint isn't used), you probably want to increase this time."
+
 #: src/pages/outposts/OutpostDeploymentModal.ts
 msgid "If your authentik Instance is using a self-signed certificate, set this value."
 msgstr "If your authentik Instance is using a self-signed certificate, set this value."
diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po
index 05dd00a6b..c147c8ad2 100644
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -88,14 +88,18 @@ msgstr ""
 msgid "Access Key"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Access code validity"
-msgstr ""
+#: 
+#~ msgid "Access code validity"
+#~ msgstr ""
 
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 msgid "Access token URL"
 msgstr ""
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "Access token validity"
+msgstr ""
+
 #: src/elements/events/ObjectChangelog.ts
 #: src/elements/events/UserEvents.ts
 #: src/pages/events/EventListPage.ts
@@ -781,8 +785,12 @@ msgstr ""
 msgid "Configure WebAuthn"
 msgstr ""
 
+#: 
+#~ msgid "Configure how long access codes are valid for."
+#~ msgstr ""
+
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Configure how long access codes are valid for."
+msgid "Configure how long access tokens are valid for."
 msgstr ""
 
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
@@ -2049,6 +2057,10 @@ msgstr ""
 msgid "If this is selected, the token will expire. Upon expiration, the token will be rotated."
 msgstr ""
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "If you are using an Implicit, client-side flow (where the token-endpoint isn't used), you probably want to increase this time."
+msgstr ""
+
 #: src/pages/outposts/OutpostDeploymentModal.ts
 msgid "If your authentik Instance is using a self-signed certificate, set this value."
 msgstr ""
diff --git a/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts b/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
index c9f2ee470..cdeb696e8 100644
--- a/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
@@ -179,7 +179,7 @@ ${this.instance?.redirectUris}</textarea
                 <span slot="header"> ${t`Advanced protocol settings`} </span>
                 <div slot="body" class="pf-c-form">
                     <ak-form-element-horizontal
-                        label=${t`Access code validity`}
+                        label=${t`Access token validity`}
                         ?required=${true}
                         name="accessCodeValidity"
                     >
@@ -190,7 +190,10 @@ ${this.instance?.redirectUris}</textarea
                             required
                         />
                         <p class="pf-c-form__helper-text">
-                            ${t`Configure how long access codes are valid for.`}
+                            ${t`Configure how long access tokens are valid for.`}
+                        </p>
+                        <p class="pf-c-form__helper-text">
+                            ${t`If you are using an Implicit, client-side flow (where the token-endpoint isn't used), you probably want to increase this time.`}
                         </p>
                         <p class="pf-c-form__helper-text">
                             ${t`(Format: hours=-1;minutes=-2;seconds=-3).`}