diff --git a/authentik/core/tasks.py b/authentik/core/tasks.py index 2a78987b1..9cbcb1294 100644 --- a/authentik/core/tasks.py +++ b/authentik/core/tasks.py @@ -60,6 +60,8 @@ def clean_temporary_users(self: MonitoredTask): messages = [] deleted_users = 0 for user in User.objects.filter(**{f"attributes__{USER_ATTRIBUTE_GENERATED}": True}): + if USER_ATTRIBUTE_EXPIRES not in user.attributes: + continue delta: timedelta = _now - datetime.fromtimestamp( user.attributes.get(USER_ATTRIBUTE_EXPIRES) ) diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index 16d783237..bc8befc7b 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -280,11 +280,12 @@ class TokenParams: if not token: raise TokenError("invalid_grant") - exp = datetime.fromtimestamp(token["exp"]) - # Non-timezone aware check since we assume `exp` is in UTC - if datetime.now() >= exp: - LOGGER.info("JWT token expired") - raise TokenError("invalid_grant") + if "exp" in token: + exp = datetime.fromtimestamp(token["exp"]) + # Non-timezone aware check since we assume `exp` is in UTC + if datetime.now() >= exp: + LOGGER.info("JWT token expired") + raise TokenError("invalid_grant") app = Application.objects.filter(provider=self.provider).first() if not app or not app.provider: @@ -298,7 +299,7 @@ class TokenParams: defaults={ "attributes": { USER_ATTRIBUTE_GENERATED: True, - USER_ATTRIBUTE_EXPIRES: token["exp"], + USER_ATTRIBUTE_EXPIRES: token.get("exp"), }, "last_login": now(), "name": f"Autogenerated user from application {app.name} (client credentials JWT)",