providers/oauth2: make exp optional on jwt client_credentials flow

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/core/tasks.py

@@ -60,6 +60,8 @@ def clean_temporary_users(self: MonitoredTask):
     messages = []
     deleted_users = 0
     for user in User.objects.filter(**{f"attributes__{USER_ATTRIBUTE_GENERATED}": True}):
+        if USER_ATTRIBUTE_EXPIRES not in user.attributes:
+            continue
         delta: timedelta = _now - datetime.fromtimestamp(
             user.attributes.get(USER_ATTRIBUTE_EXPIRES)
         )

authentik/providers/oauth2/views/token.py

@@ -280,11 +280,12 @@ class TokenParams:
         if not token:
             raise TokenError("invalid_grant")
 
-        exp = datetime.fromtimestamp(token["exp"])
+        if "exp" in token:
-        # Non-timezone aware check since we assume `exp` is in UTC
+            exp = datetime.fromtimestamp(token["exp"])
-        if datetime.now() >= exp:
+            # Non-timezone aware check since we assume `exp` is in UTC
-            LOGGER.info("JWT token expired")
+            if datetime.now() >= exp:
-            raise TokenError("invalid_grant")
+                LOGGER.info("JWT token expired")
+                raise TokenError("invalid_grant")
 
         app = Application.objects.filter(provider=self.provider).first()
         if not app or not app.provider:
@@ -298,7 +299,7 @@ class TokenParams:
             defaults={
                 "attributes": {
                     USER_ATTRIBUTE_GENERATED: True,
-                    USER_ATTRIBUTE_EXPIRES: token["exp"],
+                    USER_ATTRIBUTE_EXPIRES: token.get("exp"),
                 },
                 "last_login": now(),
                 "name": f"Autogenerated user from application {app.name} (client credentials JWT)",