providers/oauth2: use access_code_validity for id_tokens generated when using an implicit flow, improve wording in web ui

closes #1369

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/providers/oauth2/tests/test_authorize.py

@@ -247,7 +247,7 @@ class TestAuthorize(OAuthTestCase):
                 "to": (
                     f"http://localhost#access_token={token.access_token}"
                     f"&id_token={provider.encode(token.id_token.to_dict())}&token_type=bearer"
-                    f"&expires_in=2592000&state={state}"
+                    f"&expires_in=60&state={state}"
                 ),
             },
         )

authentik/providers/oauth2/views/authorize.py

@@ -367,7 +367,7 @@ class OAuthFulfillmentStage(StageView):
 
         query_fragment["token_type"] = "bearer"
         query_fragment["expires_in"] = int(
-            timedelta_from_string(self.provider.token_validity).total_seconds()
+            timedelta_from_string(self.provider.access_code_validity).total_seconds()
         )
         query_fragment["state"] = self.params.state if self.params.state else ""
 

web/src/locales/en.po

@@ -88,14 +88,18 @@ msgstr "API request failed"
 msgid "Access Key"
 msgstr "Access Key"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+#: 
-msgid "Access code validity"
+#~ msgid "Access code validity"
-msgstr "Access code validity"
+#~ msgstr "Access code validity"
 
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 msgid "Access token URL"
 msgstr "Access token URL"
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "Access token validity"
+msgstr "Access token validity"
+
 #: src/elements/events/ObjectChangelog.ts
 #: src/elements/events/UserEvents.ts
 #: src/pages/events/EventListPage.ts
@@ -787,9 +791,13 @@ msgstr "Configuration stage"
 msgid "Configure WebAuthn"
 msgstr "Configure WebAuthn"
 
+#: 
+#~ msgid "Configure how long access codes are valid for."
+#~ msgstr "Configure how long access codes are valid for."
+
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Configure how long access codes are valid for."
+msgid "Configure how long access tokens are valid for."
-msgstr "Configure how long access codes are valid for."
+msgstr "Configure how long access tokens are valid for."
 
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Configure how long refresh tokens and their id_tokens are valid for."
@@ -2057,6 +2065,10 @@ msgstr "If this flag is set, this Stage will jump to the next Stage when no Invi
 msgid "If this is selected, the token will expire. Upon expiration, the token will be rotated."
 msgstr "If this is selected, the token will expire. Upon expiration, the token will be rotated."
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "If you are using an Implicit, client-side flow (where the token-endpoint isn't used), you probably want to increase this time."
+msgstr "If you are using an Implicit, client-side flow (where the token-endpoint isn't used), you probably want to increase this time."
+
 #: src/pages/outposts/OutpostDeploymentModal.ts
 msgid "If your authentik Instance is using a self-signed certificate, set this value."
 msgstr "If your authentik Instance is using a self-signed certificate, set this value."

web/src/locales/pseudo-LOCALE.po

@@ -88,14 +88,18 @@ msgstr ""
 msgid "Access Key"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+#: 
-msgid "Access code validity"
+#~ msgid "Access code validity"
-msgstr ""
+#~ msgstr ""
 
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 msgid "Access token URL"
 msgstr ""
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "Access token validity"
+msgstr ""
+
 #: src/elements/events/ObjectChangelog.ts
 #: src/elements/events/UserEvents.ts
 #: src/pages/events/EventListPage.ts
@@ -781,8 +785,12 @@ msgstr ""
 msgid "Configure WebAuthn"
 msgstr ""
 
+#: 
+#~ msgid "Configure how long access codes are valid for."
+#~ msgstr ""
+
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Configure how long access codes are valid for."
+msgid "Configure how long access tokens are valid for."
 msgstr ""
 
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
@@ -2049,6 +2057,10 @@ msgstr ""
 msgid "If this is selected, the token will expire. Upon expiration, the token will be rotated."
 msgstr ""
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "If you are using an Implicit, client-side flow (where the token-endpoint isn't used), you probably want to increase this time."
+msgstr ""
+
 #: src/pages/outposts/OutpostDeploymentModal.ts
 msgid "If your authentik Instance is using a self-signed certificate, set this value."
 msgstr ""

web/src/pages/providers/oauth2/OAuth2ProviderForm.ts

@@ -179,7 +179,7 @@ ${this.instance?.redirectUris}</textarea
                 <span slot="header"> ${t`Advanced protocol settings`} </span>
                 <div slot="body" class="pf-c-form">
                     <ak-form-element-horizontal
-                        label=${t`Access code validity`}
+                        label=${t`Access token validity`}
                         ?required=${true}
                         name="accessCodeValidity"
                     >
@@ -190,7 +190,10 @@ ${this.instance?.redirectUris}</textarea
                             required
                         />
                         <p class="pf-c-form__helper-text">
-                            ${t`Configure how long access codes are valid for.`}
+                            ${t`Configure how long access tokens are valid for.`}
+                        </p>
+                        <p class="pf-c-form__helper-text">
+                            ${t`If you are using an Implicit, client-side flow (where the token-endpoint isn't used), you probably want to increase this time.`}
                         </p>
                         <p class="pf-c-form__helper-text">
                             ${t`(Format: hours=-1;minutes=-2;seconds=-3).`}