-
-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Recovery emails / links do not respect token_expiry #9671
Labels
bug
Something isn't working
Comments
Additional info: Does not matter whether |
2 tasks
From quickly looking through the code I can see how this would happen if the token expires and is rotated (when the token is rotated we currently default to the default expiry value which is 30 minutes) |
While I could be confusing terms, I believe the issue we have found is specifically with token creation during the recovery flows. In other words:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
No way to change token expiration time window from the default 30 minutes.
This is despite the example flows and API documentation stating that the email stage's
token_expiry
property should be able to change the token expiry.To Reproduce
Here is an example stage that demonstrates the issue.
authentik_core_token
table. Notice that the expiration time is only 30 minutes in the future.Expected behavior
The expiration time of tokens should match the configured
token_expiry
.Version and Deployment (please complete the following information):
Additional Context:
It seems weird that
token_expiry
is on the stage rather than the flow, especially since we can generate recovery links without emails. Perhaps this is just an old property that needs to be deleted? If so, it would be ideal to be able to set expiration windows on recovery links via some other mechanism.The text was updated successfully, but these errors were encountered: