Creating App Passwords with disabled expiration fails with an 405 method not allowed #19911
Description
Describe the bug
Installed 2025.12.2 with the expectation to be able to create App Passwords again via UI at Directory > Tokens and App passwords.
While #19582 fixed the date errors, the UI now throws a 405 method not allowed and a system exception event is generated.
To Reproduce
Steps to reproduce the behavior:
- Create an App Password for an Service Account at Directory > Tokens and App passwords
- or via API POST to /api/v3/core/tokens/ with the following JSON (same as the frontend does if expiration is disabled) :
{
"identifier": "test",
"intent": "app_password",
"user": 9,
"description": "test",
"expiring": false,
"expires": null
}
Expected behavior
The API should allow "null" as this is what the frontend sends and the schema says its valid.
Logs
Stacktrace from authentik
'>' not supported between instances of 'NoneType' and 'datetime.datetime'
"message": "'>' not supported between instances of 'NoneType' and 'datetime.datetime'",
"exception": [
{
"frames": [
{
"name": "thread_handler",
"lineno": 555,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/asgiref/sync.py"
},
{
"name": "_get_response_async",
"lineno": 253,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/django/core/handlers/base.py"
},
{
"name": "__call__",
"lineno": 504,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/asgiref/sync.py"
},
{
"name": "run",
"lineno": 40,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/asgiref/current_thread_executor.py"
},
{
"name": "thread_handler",
"lineno": 559,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/asgiref/sync.py"
},
{
"name": "_view_wrapper",
"lineno": 65,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/django/views/decorators/csrf.py"
},
{
"name": "view",
"lineno": 125,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/viewsets.py"
},
{
"name": "dispatch",
"lineno": 515,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/views.py"
},
{
"name": "handle_exception",
"lineno": 475,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/views.py"
},
{
"name": "raise_uncaught_exception",
"lineno": 486,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/views.py"
},
{
"name": "dispatch",
"lineno": 512,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/views.py"
},
{
"name": "create",
"lineno": 18,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/mixins.py"
},
{
"name": "is_valid",
"lineno": 225,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/serializers.py"
},
{
"name": "run_validation",
"lineno": 447,
"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/serializers.py"
},
{
"name": "validate",
"lineno": 79,
"filename": "/authentik/core/api/tokens.py"
}
],
"exc_type": "TypeError",
"is_cause": false,
"is_group": false,
"exc_notes": [],
"exc_value": "'>' not supported between instances of 'NoneType' and 'datetime.datetime'",
"exceptions": [],
"syntax_error": null
}
Version and Deployment (please complete the following information):
- authentik version: 2025.12.2
- Deployment: Podman/Quadlets.
Additional context
Trying to create an App Password via API works, as long as the "expires" field is not used when expiring is set to false.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status