[Bug]: Recovery emails / links do not respect token_expiry about authentik HOT 7 OPEN

Additional info: Does not matter whether use_global_settings is true or false.

from authentik.

From quickly looking through the code I can see how this would happen if the token expires and is rotated (when the token is rotated we currently default to the default expiry value which is 30 minutes)

from authentik.

While I could be confusing terms, I believe the issue we have found is specifically with token creation during the recovery flows.

In other words:

1. No token / active recovery flow exists for the user
2. Click create recovery link / send recovery email for the user
3. Notice that the new token is created in the authentik_core_token table but that it will always have an expiration time 30 minutes in the future regardless of the token_expiry setting.
4. Validate that after 30 minutes the reset links do not work.

from authentik.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from authentik.

Still an issue.

from authentik.

I think the problem is that the recovery tokens are created differently from the admin interface/ via the API than they are during flow execution.

The API does not set any expiration time so it will always use the default of 30 minutes.
Maybe the API call should check for an email stage in the recovery flow and use the setting from there?
At least the recovery_email endpoint gets an email stage passed directly and could use the expiry_token value from that.

During flow execution the token is created with the token_expiry setting from the stage.

from authentik.

I experienced this via both the links generated from the admin UI and the tokens included in the email link (which I assume are a part of the flow).

Perhaps the flow component has been addressed in a recent release?

from authentik.