From c4e4e17f93ed78869503c2cd5aa4e6081d5930fb Mon Sep 17 00:00:00 2001
From: Jens L <jens.langhammer@beryju.org>
Date: Wed, 28 Apr 2021 21:03:43 +0200
Subject: [PATCH] providers/oauth2: add access_code_validity (#795)

closes #794

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/providers/oauth2/api/provider.py    |   1 +
 ...012_oauth2provider_access_code_validity.py |  24 ++++
 authentik/providers/oauth2/models.py          |  10 ++
 authentik/providers/oauth2/views/authorize.py |   2 +-
 swagger.yaml                                  |   6 +
 web/src/locales/en.po                         | 109 ++++++++++--------
 web/src/locales/pseudo-LOCALE.po              | 107 ++++++++++-------
 .../providers/oauth2/OAuth2ProviderForm.ts    |  12 +-
 .../pages/providers/saml/SAMLProviderForm.ts  |   3 +-
 .../stages/user_login/UserLoginStageForm.ts   |   3 +-
 10 files changed, 184 insertions(+), 93 deletions(-)
 create mode 100644 authentik/providers/oauth2/migrations/0012_oauth2provider_access_code_validity.py

diff --git a/authentik/providers/oauth2/api/provider.py b/authentik/providers/oauth2/api/provider.py
index 06e3351b1..b090ef72c 100644
--- a/authentik/providers/oauth2/api/provider.py
+++ b/authentik/providers/oauth2/api/provider.py
@@ -38,6 +38,7 @@ class OAuth2ProviderSerializer(ProviderSerializer):
             "client_type",
             "client_id",
             "client_secret",
+            "access_code_validity",
             "token_validity",
             "include_claims_in_id_token",
             "jwt_alg",
diff --git a/authentik/providers/oauth2/migrations/0012_oauth2provider_access_code_validity.py b/authentik/providers/oauth2/migrations/0012_oauth2provider_access_code_validity.py
new file mode 100644
index 000000000..2aaa9983d
--- /dev/null
+++ b/authentik/providers/oauth2/migrations/0012_oauth2provider_access_code_validity.py
@@ -0,0 +1,24 @@
+# Generated by Django 3.2 on 2021-04-28 18:17
+
+from django.db import migrations, models
+
+import authentik.lib.utils.time
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0011_managed"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="oauth2provider",
+            name="access_code_validity",
+            field=models.TextField(
+                default="minutes=1",
+                help_text="Access codes not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).",
+                validators=[authentik.lib.utils.time.timedelta_string_validator],
+            ),
+        ),
+    ]
diff --git a/authentik/providers/oauth2/models.py b/authentik/providers/oauth2/models.py
index 2bbaabf18..b6440593b 100644
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@@ -175,6 +175,16 @@ class OAuth2Provider(Provider):
         ),
     )
 
+    access_code_validity = models.TextField(
+        default="minutes=1",
+        validators=[timedelta_string_validator],
+        help_text=_(
+            (
+                "Access codes not valid on or after current time + this value "
+                "(Format: hours=1;minutes=2;seconds=3)."
+            )
+        ),
+    )
     token_validity = models.TextField(
         default="minutes=10",
         validators=[timedelta_string_validator],
diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py
index cc71c7a29..5823631a6 100644
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@@ -219,7 +219,7 @@ class OAuthAuthorizationParams:
             code.code_challenge_method = self.code_challenge_method
 
         code.expires_at = timezone.now() + timedelta_from_string(
-            self.provider.token_validity
+            self.provider.access_code_validity
         )
         code.scope = self.scope
         code.nonce = self.nonce
diff --git a/swagger.yaml b/swagger.yaml
index a505326de..b56f071ce 100755
--- a/swagger.yaml
+++ b/swagger.yaml
@@ -15547,6 +15547,12 @@ definitions:
         title: Client Secret
         type: string
         maxLength: 255
+      access_code_validity:
+        title: Access code validity
+        description: 'Access codes not valid on or after current time + this value
+          (Format: hours=1;minutes=2;seconds=3).'
+        type: string
+        minLength: 1
       token_validity:
         title: Token validity
         description: 'Tokens not valid on or after current time + this value (Format:
diff --git a/web/src/locales/en.po b/web/src/locales/en.po
index 6c2801f30..cd4f560a5 100644
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -13,6 +13,13 @@ msgstr ""
 "Language-Team: \n"
 "Plural-Forms: \n"
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:141
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:149
+#: src/pages/providers/saml/SAMLProviderForm.ts:202
+#: src/pages/stages/user_login/UserLoginStageForm.ts:71
+msgid "(Format: hours=-1;minutes=-2;seconds=-3)."
+msgstr "(Format: hours=-1;minutes=-2;seconds=-3)."
+
 #: src/pages/policies/BoundPoliciesList.ts:59
 msgid "-"
 msgstr "-"
@@ -68,6 +75,10 @@ msgstr "API request failed"
 msgid "Access Key"
 msgstr "Access Key"
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:136
+msgid "Access code validity"
+msgstr "Access code validity"
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts:73
 msgid "Access token URL"
 msgstr "Access token URL"
@@ -125,7 +136,7 @@ msgstr "Affected model:"
 msgid "Alert"
 msgstr "Alert"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:153
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:163
 msgid "Algorithm used to sign the JWT Tokens."
 msgstr "Algorithm used to sign the JWT Tokens."
 
@@ -220,7 +231,7 @@ msgstr "Are you sure you want to delete {0} {objName} ?"
 msgid "Are you sure you want to update {0} \"{1}\"?"
 msgstr "Are you sure you want to update {0} \"{1}\"?"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:208
+#: src/pages/providers/saml/SAMLProviderForm.ts:209
 msgid "Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
 msgstr "Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
 
@@ -228,11 +239,7 @@ msgstr "Assertion not valid on or after current time + this value (Format: hours
 msgid "Assertion valid not before"
 msgstr "Assertion valid not before"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:201
-msgid "Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3)."
-msgstr "Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3)."
-
-#: src/pages/providers/saml/SAMLProviderForm.ts:204
+#: src/pages/providers/saml/SAMLProviderForm.ts:205
 msgid "Assertion valid not on or after"
 msgstr "Assertion valid not on or after"
 
@@ -342,19 +349,19 @@ msgstr "Backup status"
 msgid "Base DN"
 msgstr "Base DN"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:213
 msgid "Based on the Hashed User ID"
 msgstr "Based on the Hashed User ID"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:209
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:219
 msgid "Based on the User's Email. This is recommended over the UPN method."
 msgstr "Based on the User's Email. This is recommended over the UPN method."
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:212
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:222
 msgid "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains."
 msgstr "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains."
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:206
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:216
 msgid "Based on the username"
 msgstr "Based on the username"
 
@@ -592,11 +599,19 @@ msgstr "Configuration flow"
 msgid "Configure WebAuthn"
 msgstr "Configure WebAuthn"
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:140
+msgid "Configure how long access codes are valid for."
+msgstr "Configure how long access codes are valid for."
+
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:148
+msgid "Configure how long refresh tokens and their id_tokens are valid for."
+msgstr "Configure how long refresh tokens and their id_tokens are valid for."
+
 #: src/pages/providers/saml/SAMLProviderForm.ts:193
 msgid "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected."
 msgstr "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected."
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:241
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:251
 msgid "Configure how the issuer field of the ID Token should be filled."
 msgstr "Configure how the issuer field of the ID Token should be filled."
 
@@ -604,7 +619,11 @@ msgstr "Configure how the issuer field of the ID Token should be filled."
 msgid "Configure settings relevant to your user profile."
 msgstr "Configure settings relevant to your user profile."
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:216
+#: src/pages/providers/saml/SAMLProviderForm.ts:201
+msgid "Configure the maximum allowed time drift for an asseration."
+msgstr "Configure the maximum allowed time drift for an asseration."
+
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:226
 msgid "Configure what data should be used as unique User Identifier. For most cases, the default should be fine."
 msgstr "Configure what data should be used as unique User Identifier. For most cases, the default should be fine."
 
@@ -846,7 +865,7 @@ msgstr "Creation Date"
 msgid "Customisation"
 msgstr "Customisation"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:255
+#: src/pages/providers/saml/SAMLProviderForm.ts:256
 #: src/pages/sources/saml/SAMLSourceForm.ts:212
 msgid "DSA-SHA1"
 msgstr "DSA-SHA1"
@@ -956,8 +975,8 @@ msgid "Determines how authentik sends the response back to the Service Provider.
 msgstr "Determines how authentik sends the response back to the Service Provider."
 
 #: src/pages/stages/user_login/UserLoginStageForm.ts:70
-msgid "Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)."
-msgstr "Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)."
+msgid "Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed."
+msgstr "Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed."
 
 #: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:113
 msgid "Device classes which can be used to authenticate."
@@ -967,7 +986,7 @@ msgstr "Device classes which can be used to authenticate."
 msgid "Device name"
 msgstr "Device name"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:219
+#: src/pages/providers/saml/SAMLProviderForm.ts:220
 #: src/pages/sources/saml/SAMLSourceForm.ts:176
 msgid "Digest algorithm"
 msgstr "Digest algorithm"
@@ -1010,7 +1029,7 @@ msgstr "Download"
 msgid "Dummy stage used for testing. Shows a simple continue button and always passes."
 msgstr "Dummy stage used for testing. Shows a simple continue button and always passes."
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:234
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:244
 msgid "Each provider has a different issuer, based on the application slug."
 msgstr "Each provider has a different issuer, based on the application slug."
 
@@ -1451,7 +1470,7 @@ msgstr "Group {0}"
 msgid "Groups"
 msgstr "Groups"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:150
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:160
 msgid "HS256 (Symmetric Encryption)"
 msgstr "HS256 (Symmetric Encryption)"
 
@@ -1478,7 +1497,7 @@ msgstr "Hide managed mappings"
 #: src/pages/events/RuleForm.ts:93
 #: src/pages/groups/GroupForm.ts:131
 #: src/pages/outposts/OutpostForm.ts:98
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:178
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:188
 #: src/pages/providers/saml/SAMLProviderForm.ts:177
 #: src/pages/sources/ldap/LDAPSourceForm.ts:167
 #: src/pages/sources/ldap/LDAPSourceForm.ts:193
@@ -1552,11 +1571,11 @@ msgstr "Import certificates of external providers or create certificates to sign
 msgid "In case you can't access any other method."
 msgstr "In case you can't access any other method."
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:226
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:236
 msgid "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint."
 msgstr "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint."
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:223
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:233
 msgid "Include claims in id_token"
 msgstr "Include claims in id_token"
 
@@ -1600,15 +1619,15 @@ msgstr "Is superuser"
 msgid "Issuer"
 msgstr "Issuer"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:229
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:239
 msgid "Issuer mode"
 msgstr "Issuer mode"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:142
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:152
 msgid "JWT Algorithm"
 msgstr "JWT Algorithm"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:195
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:205
 msgid "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."
 msgstr "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."
 
@@ -1707,8 +1726,8 @@ msgstr "Loading"
 #: src/pages/policies/event_matcher/EventMatcherPolicyForm.ts:108
 #: src/pages/property-mappings/PropertyMappingTestForm.ts:61
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:175
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:193
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:185
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
 #: src/pages/providers/proxy/ProxyProviderForm.ts:92
 #: src/pages/providers/proxy/ProxyProviderForm.ts:145
 #: src/pages/providers/saml/SAMLProviderForm.ts:71
@@ -2440,30 +2459,30 @@ msgstr "Public key, acquired from https://www.google.com/recaptcha/intro/v3.html
 msgid "Publisher"
 msgstr "Publisher"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:147
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:157
 msgid "RS256 (Asymmetric Encryption)"
 msgstr "RS256 (Asymmetric Encryption)"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:181
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:191
 msgid "RSA Key"
 msgstr "RSA Key"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:243
+#: src/pages/providers/saml/SAMLProviderForm.ts:244
 #: src/pages/sources/saml/SAMLSourceForm.ts:200
 msgid "RSA-SHA1"
 msgstr "RSA-SHA1"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:246
+#: src/pages/providers/saml/SAMLProviderForm.ts:247
 #: src/pages/sources/saml/SAMLSourceForm.ts:203
 msgid "RSA-SHA256"
 msgstr "RSA-SHA256"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:249
+#: src/pages/providers/saml/SAMLProviderForm.ts:250
 #: src/pages/sources/saml/SAMLSourceForm.ts:206
 msgid "RSA-SHA384"
 msgstr "RSA-SHA384"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:252
+#: src/pages/providers/saml/SAMLProviderForm.ts:253
 #: src/pages/sources/saml/SAMLSourceForm.ts:209
 msgid "RSA-SHA512"
 msgstr "RSA-SHA512"
@@ -2591,22 +2610,22 @@ msgstr "Return to device picker"
 msgid "SAML Attribute Name"
 msgstr "SAML Attribute Name"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:224
+#: src/pages/providers/saml/SAMLProviderForm.ts:225
 #: src/pages/sources/saml/SAMLSourceForm.ts:181
 msgid "SHA1"
 msgstr "SHA1"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:227
+#: src/pages/providers/saml/SAMLProviderForm.ts:228
 #: src/pages/sources/saml/SAMLSourceForm.ts:184
 msgid "SHA256"
 msgstr "SHA256"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:230
+#: src/pages/providers/saml/SAMLProviderForm.ts:231
 #: src/pages/sources/saml/SAMLSourceForm.ts:187
 msgid "SHA384"
 msgstr "SHA384"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:233
+#: src/pages/providers/saml/SAMLProviderForm.ts:234
 #: src/pages/sources/saml/SAMLSourceForm.ts:190
 msgid "SHA512"
 msgstr "SHA512"
@@ -2637,7 +2656,7 @@ msgstr "SMTP Username"
 msgid "SSO URL"
 msgstr "SSO URL"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:237
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:247
 msgid "Same identifier is used for all providers"
 msgstr "Same identifier is used for all providers"
 
@@ -2651,7 +2670,7 @@ msgstr "Scope which the client can specify to access these properties."
 
 #: src/elements/oauth/UserCodeList.ts:31
 #: src/elements/oauth/UserRefreshList.ts:31
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:156
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:166
 msgid "Scopes"
 msgstr "Scopes"
 
@@ -2686,7 +2705,7 @@ msgstr "Select an identification method."
 msgid "Select users to add"
 msgstr "Select users to add"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:177
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:187
 msgid "Select which scopes can be used by the client. The client stil has to specify the scope to access the data."
 msgstr "Select which scopes can be used by the client. The client stil has to specify the scope to access the data."
 
@@ -2747,11 +2766,11 @@ msgstr "Service connection"
 msgid "Session duration"
 msgstr "Session duration"
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:215
+#: src/pages/providers/saml/SAMLProviderForm.ts:216
 msgid "Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
 msgstr "Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:211
+#: src/pages/providers/saml/SAMLProviderForm.ts:212
 msgid "Session valid not on or after"
 msgstr "Session valid not on or after"
 
@@ -2792,7 +2811,7 @@ msgstr "Shown as the Title in Flow pages."
 msgid "Sign up."
 msgstr "Sign up."
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:238
+#: src/pages/providers/saml/SAMLProviderForm.ts:239
 #: src/pages/sources/saml/SAMLSourceForm.ts:195
 msgid "Signature algorithm"
 msgstr "Signature algorithm"
@@ -2947,7 +2966,7 @@ msgstr "Stop impersonation"
 msgid "Subject"
 msgstr "Subject"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:198
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:208
 msgid "Subject mode"
 msgstr "Subject mode"
 
@@ -3395,7 +3414,7 @@ msgstr "Token count"
 msgid "Token expiry"
 msgstr "Token expiry"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:136
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:144
 msgid "Token validity"
 msgstr "Token validity"
 
diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po
index a1e185c5e..a8822e9c8 100644
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -13,6 +13,13 @@ msgstr ""
 "Language-Team: \n"
 "Plural-Forms: \n"
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:141
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:149
+#: src/pages/providers/saml/SAMLProviderForm.ts:202
+#: src/pages/stages/user_login/UserLoginStageForm.ts:71
+msgid "(Format: hours=-1;minutes=-2;seconds=-3)."
+msgstr ""
+
 #: src/pages/policies/BoundPoliciesList.ts:59
 msgid "-"
 msgstr ""
@@ -68,6 +75,10 @@ msgstr ""
 msgid "Access Key"
 msgstr ""
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:136
+msgid "Access code validity"
+msgstr ""
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts:73
 msgid "Access token URL"
 msgstr ""
@@ -125,7 +136,7 @@ msgstr ""
 msgid "Alert"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:153
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:163
 msgid "Algorithm used to sign the JWT Tokens."
 msgstr ""
 
@@ -216,7 +227,7 @@ msgstr ""
 msgid "Are you sure you want to update {0} \"{1}\"?"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:208
+#: src/pages/providers/saml/SAMLProviderForm.ts:209
 msgid "Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
 msgstr ""
 
@@ -224,11 +235,7 @@ msgstr ""
 msgid "Assertion valid not before"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:201
-msgid "Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3)."
-msgstr ""
-
-#: src/pages/providers/saml/SAMLProviderForm.ts:204
+#: src/pages/providers/saml/SAMLProviderForm.ts:205
 msgid "Assertion valid not on or after"
 msgstr ""
 
@@ -338,19 +345,19 @@ msgstr ""
 msgid "Base DN"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:213
 msgid "Based on the Hashed User ID"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:209
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:219
 msgid "Based on the User's Email. This is recommended over the UPN method."
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:212
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:222
 msgid "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains."
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:206
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:216
 msgid "Based on the username"
 msgstr ""
 
@@ -586,11 +593,19 @@ msgstr ""
 msgid "Configure WebAuthn"
 msgstr ""
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:140
+msgid "Configure how long access codes are valid for."
+msgstr ""
+
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:148
+msgid "Configure how long refresh tokens and their id_tokens are valid for."
+msgstr ""
+
 #: src/pages/providers/saml/SAMLProviderForm.ts:193
 msgid "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected."
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:241
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:251
 msgid "Configure how the issuer field of the ID Token should be filled."
 msgstr ""
 
@@ -598,7 +613,11 @@ msgstr ""
 msgid "Configure settings relevant to your user profile."
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:216
+#: src/pages/providers/saml/SAMLProviderForm.ts:201
+msgid "Configure the maximum allowed time drift for an asseration."
+msgstr ""
+
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:226
 msgid "Configure what data should be used as unique User Identifier. For most cases, the default should be fine."
 msgstr ""
 
@@ -840,7 +859,7 @@ msgstr ""
 msgid "Customisation"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:255
+#: src/pages/providers/saml/SAMLProviderForm.ts:256
 #: src/pages/sources/saml/SAMLSourceForm.ts:212
 msgid "DSA-SHA1"
 msgstr ""
@@ -948,7 +967,7 @@ msgid "Determines how authentik sends the response back to the Service Provider.
 msgstr ""
 
 #: src/pages/stages/user_login/UserLoginStageForm.ts:70
-msgid "Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)."
+msgid "Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed."
 msgstr ""
 
 #: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:113
@@ -959,7 +978,7 @@ msgstr ""
 msgid "Device name"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:219
+#: src/pages/providers/saml/SAMLProviderForm.ts:220
 #: src/pages/sources/saml/SAMLSourceForm.ts:176
 msgid "Digest algorithm"
 msgstr ""
@@ -1002,7 +1021,7 @@ msgstr ""
 msgid "Dummy stage used for testing. Shows a simple continue button and always passes."
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:234
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:244
 msgid "Each provider has a different issuer, based on the application slug."
 msgstr ""
 
@@ -1443,7 +1462,7 @@ msgstr ""
 msgid "Groups"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:150
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:160
 msgid "HS256 (Symmetric Encryption)"
 msgstr ""
 
@@ -1470,7 +1489,7 @@ msgstr ""
 #: src/pages/events/RuleForm.ts:93
 #: src/pages/groups/GroupForm.ts:131
 #: src/pages/outposts/OutpostForm.ts:98
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:178
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:188
 #: src/pages/providers/saml/SAMLProviderForm.ts:177
 #: src/pages/sources/ldap/LDAPSourceForm.ts:167
 #: src/pages/sources/ldap/LDAPSourceForm.ts:193
@@ -1544,11 +1563,11 @@ msgstr ""
 msgid "In case you can't access any other method."
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:226
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:236
 msgid "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint."
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:223
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:233
 msgid "Include claims in id_token"
 msgstr ""
 
@@ -1592,15 +1611,15 @@ msgstr ""
 msgid "Issuer"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:229
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:239
 msgid "Issuer mode"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:142
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:152
 msgid "JWT Algorithm"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:195
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:205
 msgid "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."
 msgstr ""
 
@@ -1699,8 +1718,8 @@ msgstr ""
 #: src/pages/policies/event_matcher/EventMatcherPolicyForm.ts:108
 #: src/pages/property-mappings/PropertyMappingTestForm.ts:61
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:175
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:193
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:185
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
 #: src/pages/providers/proxy/ProxyProviderForm.ts:92
 #: src/pages/providers/proxy/ProxyProviderForm.ts:145
 #: src/pages/providers/saml/SAMLProviderForm.ts:71
@@ -2432,30 +2451,30 @@ msgstr ""
 msgid "Publisher"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:147
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:157
 msgid "RS256 (Asymmetric Encryption)"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:181
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:191
 msgid "RSA Key"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:243
+#: src/pages/providers/saml/SAMLProviderForm.ts:244
 #: src/pages/sources/saml/SAMLSourceForm.ts:200
 msgid "RSA-SHA1"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:246
+#: src/pages/providers/saml/SAMLProviderForm.ts:247
 #: src/pages/sources/saml/SAMLSourceForm.ts:203
 msgid "RSA-SHA256"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:249
+#: src/pages/providers/saml/SAMLProviderForm.ts:250
 #: src/pages/sources/saml/SAMLSourceForm.ts:206
 msgid "RSA-SHA384"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:252
+#: src/pages/providers/saml/SAMLProviderForm.ts:253
 #: src/pages/sources/saml/SAMLSourceForm.ts:209
 msgid "RSA-SHA512"
 msgstr ""
@@ -2583,22 +2602,22 @@ msgstr ""
 msgid "SAML Attribute Name"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:224
+#: src/pages/providers/saml/SAMLProviderForm.ts:225
 #: src/pages/sources/saml/SAMLSourceForm.ts:181
 msgid "SHA1"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:227
+#: src/pages/providers/saml/SAMLProviderForm.ts:228
 #: src/pages/sources/saml/SAMLSourceForm.ts:184
 msgid "SHA256"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:230
+#: src/pages/providers/saml/SAMLProviderForm.ts:231
 #: src/pages/sources/saml/SAMLSourceForm.ts:187
 msgid "SHA384"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:233
+#: src/pages/providers/saml/SAMLProviderForm.ts:234
 #: src/pages/sources/saml/SAMLSourceForm.ts:190
 msgid "SHA512"
 msgstr ""
@@ -2629,7 +2648,7 @@ msgstr ""
 msgid "SSO URL"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:237
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:247
 msgid "Same identifier is used for all providers"
 msgstr ""
 
@@ -2643,7 +2662,7 @@ msgstr ""
 
 #: src/elements/oauth/UserCodeList.ts:31
 #: src/elements/oauth/UserRefreshList.ts:31
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:156
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:166
 msgid "Scopes"
 msgstr ""
 
@@ -2678,7 +2697,7 @@ msgstr ""
 msgid "Select users to add"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:177
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:187
 msgid "Select which scopes can be used by the client. The client stil has to specify the scope to access the data."
 msgstr ""
 
@@ -2739,11 +2758,11 @@ msgstr ""
 msgid "Session duration"
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:215
+#: src/pages/providers/saml/SAMLProviderForm.ts:216
 msgid "Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:211
+#: src/pages/providers/saml/SAMLProviderForm.ts:212
 msgid "Session valid not on or after"
 msgstr ""
 
@@ -2784,7 +2803,7 @@ msgstr ""
 msgid "Sign up."
 msgstr ""
 
-#: src/pages/providers/saml/SAMLProviderForm.ts:238
+#: src/pages/providers/saml/SAMLProviderForm.ts:239
 #: src/pages/sources/saml/SAMLSourceForm.ts:195
 msgid "Signature algorithm"
 msgstr ""
@@ -2939,7 +2958,7 @@ msgstr ""
 msgid "Subject"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:198
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:208
 msgid "Subject mode"
 msgstr ""
 
@@ -3383,7 +3402,7 @@ msgstr ""
 msgid "Token expiry"
 msgstr ""
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:136
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:144
 msgid "Token validity"
 msgstr ""
 
diff --git a/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts b/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
index 82c7f1ad4..4005daeeb 100644
--- a/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
@@ -129,11 +129,21 @@ export class OAuth2ProviderFormPage extends Form<OAuth2Provider> {
                     ${t`Advanced protocol settings`}
                 </span>
                 <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${t`Access code validity`}
+                        ?required=${true}
+                        name="accessCodeValidity">
+                        <input type="text" value="${first(this.provider?.accessCodeValidity, "minutes=1")}" class="pf-c-form-control" required>
+                        <p class="pf-c-form__helper-text">${t`Configure how long access codes are valid for.`}</p>
+                        <p class="pf-c-form__helper-text">${t`(Format: hours=-1;minutes=-2;seconds=-3).`}</p>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal
                         label=${t`Token validity`}
                         ?required=${true}
                         name="tokenValidity">
-                        <input type="text" value="${this.provider?.tokenValidity || "minutes=10"}" class="pf-c-form-control" required>
+                        <input type="text" value="${first(this.provider?.tokenValidity, "minutes=10")}" class="pf-c-form-control" required>
+                        <p class="pf-c-form__helper-text">${t`Configure how long refresh tokens and their id_tokens are valid for.`}</p>
+                        <p class="pf-c-form__helper-text">${t`(Format: hours=-1;minutes=-2;seconds=-3).`}</p>
                     </ak-form-element-horizontal>
                     <ak-form-element-horizontal
                         label=${t`JWT Algorithm`}
diff --git a/web/src/pages/providers/saml/SAMLProviderForm.ts b/web/src/pages/providers/saml/SAMLProviderForm.ts
index f6730466d..8fc643dff 100644
--- a/web/src/pages/providers/saml/SAMLProviderForm.ts
+++ b/web/src/pages/providers/saml/SAMLProviderForm.ts
@@ -189,7 +189,8 @@ export class SAMLProviderFormPage extends Form<SAMLProvider> {
                         ?required=${true}
                         name="assertionValidNotBefore">
                         <input type="text" value="${this.provider?.assertionValidNotBefore || "minutes=-5"}" class="pf-c-form-control" required>
-                        <p class="pf-c-form__helper-text">${t`Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3).`}</p>
+                        <p class="pf-c-form__helper-text">${t`Configure the maximum allowed time drift for an asseration.`}</p>
+                        <p class="pf-c-form__helper-text">${t`(Format: hours=-1;minutes=-2;seconds=-3).`}</p>
                     </ak-form-element-horizontal>
                     <ak-form-element-horizontal
                         label=${t`Assertion valid not on or after`}
diff --git a/web/src/pages/stages/user_login/UserLoginStageForm.ts b/web/src/pages/stages/user_login/UserLoginStageForm.ts
index 323aa94dd..4d59c18a2 100644
--- a/web/src/pages/stages/user_login/UserLoginStageForm.ts
+++ b/web/src/pages/stages/user_login/UserLoginStageForm.ts
@@ -64,7 +64,8 @@ export class UserLoginStageForm extends Form<UserLoginStage> {
                         ?required=${true}
                         name="sessionDuration">
                         <input type="text" value="${first(this.stage?.sessionDuration, "seconds=0")}" class="pf-c-form-control" required>
-                        <p class="pf-c-form__helper-text">${t`Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3).`}</p>
+                        <p class="pf-c-form__helper-text">${t`Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed.`}</p>
+                        <p class="pf-c-form__helper-text">${t`(Format: hours=-1;minutes=-2;seconds=-3).`}</p>
                     </ak-form-element-horizontal>
                 </div>
             </ak-form-group>