Token endpoint returning wrong value for expires_in (from refresh token instead of access token)

[pawel-pacewicz-altium]

Bug description
Authentik endpoint /application/o/token/ seems to be returning the value of a refresh token "expires_in" instead of the access token's.
The application using authentik's SSO capabilities is relying on "expires_at" to refresh the access token proactively. Because information received is incorrect, it won't try to refresh until the token is expired and fail on a request when the access token did expire.

steps to reproduce:
0. (Set-up) Set Access token validity to 6m, refresh token to 14d.

1. Request new token by querying the URL (can be done from the browser): https://authentik/if/flow/default-provider-authorization-explicit-consent/?response_type=code&client_id=5e6f645d1836e5f696b31fc136a5dde1f734f73f&redirect_uri=_REDIRECT_URI_&scope=SCOPE
2. Copy the code
3. Request token through Postman using the code above
4. Result: "expires_in": 1209600 (e.g. 14d).
   

Confirmed that the token itself also contains wrong information:

Expected behavior
The Access token should return a validity of 360s for validity set to 6m.

Version and Deployment (please complete the following information):

• authentik version 2022.11.3
• Deployment: docker

Additional context
This was claimed to be resolved under commit #3306003, but the issue still persists with the latest update of Authentik - confirmed as of Dec 9th, 2022.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[pawel-pacewicz-altium]

Hi,
Any chance for an update as to a potential resolution plan?
Thanks in advance! :)

[BeryJu]

So there's some confusion coming from the fact the UI setting is labeled Access token validity when it controls the value of accessCodeValidity, and the value of that is accordingly used for the OAuth Authorization code instead of access/refresh token.

Now this does highlight the bigger issue in this case, being that both access and refresh tokens share the same database model and currently share the same expiry, which of course defeats the point of a refresh token. To fix this, a larger refactor of the OAuth provider is required, but that is in progress.

[lsjostro]

This is still not fixed unfortunately (release 2024.2). renewed JWT tokens will get the exp field set to the expiry of the refresh token. The default value of refresh tokens is to date 30 days. So a lot of JWT librarys/SDKs out there will not try to renew id token until it expires.

[BeryJu]

@lsjostro #9275 should fix the issue