providers/oauth2: rework OAuth2 Provider (#4652)

* always treat flow as openid flow

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* improve issuer URL generation

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more refactoring

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update introspection

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more refinement

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate more

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix more things, update api

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* regen migrations

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix a bunch of things

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start updating tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix implicit flow, auto set exp

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix timeozone not used correctly

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix revoke

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more timezone shenanigans

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix userinfo tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update web

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix proxy outpost

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix missing at_hash for implicit flows

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* re-include at_hash in implicit auth flow

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use folder context for outpost build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

web/src/admin/providers/oauth2/OAuth2ProviderForm.ts

@@ -253,18 +253,34 @@ ${this.instance?.redirectUris}</textarea
                         <ak-utils-time-delta-help></ak-utils-time-delta-help>
                     </ak-form-element-horizontal>
                     <ak-form-element-horizontal
-                        label=${t`Token validity`}
+                        label=${t`Access Token validity`}
                         ?required=${true}
-                        name="tokenValidity"
+                        name="accessTokenValidity"
                     >
                         <input
                             type="text"
-                            value="${first(this.instance?.tokenValidity, "days=30")}"
+                            value="${first(this.instance?.accessTokenValidity, "minutes=5")}"
                             class="pf-c-form-control"
                             required
                         />
                         <p class="pf-c-form__helper-text">
-                            ${t`Configure how long refresh tokens and their id_tokens are valid for.`}
+                            ${t`Configure how long access tokens are valid for.`}
+                        </p>
+                        <ak-utils-time-delta-help></ak-utils-time-delta-help>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${t`Refresh Token validity`}
+                        ?required=${true}
+                        name="refreshTokenValidity"
+                    >
+                        <input
+                            type="text"
+                            value="${first(this.instance?.refreshTokenValidity, "days=30")}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${t`Configure how long refresh tokens are valid for.`}
                         </p>
                         <ak-utils-time-delta-help></ak-utils-time-delta-help>
                     </ak-form-element-horizontal>

web/src/admin/providers/proxy/ProxyProviderForm.ts

@@ -342,10 +342,10 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
                 </div>
                 <div class="pf-c-card__footer">${this.renderSettings()}</div>
             </div>
-            <ak-form-element-horizontal label=${t`Token validity`} name="tokenValidity">
+            <ak-form-element-horizontal label=${t`Token validity`} name="accessTokenValidity">
                 <input
                     type="text"
-                    value="${first(this.instance?.tokenValidity, "hours=24")}"
+                    value="${first(this.instance?.accessTokenValidity, "hours=24")}"
                     class="pf-c-form-control"
                 />
                 <p class="pf-c-form__helper-text">${t`Configure how long tokens are valid for.`}</p>

web/src/admin/users/UserViewPage.ts

@@ -345,7 +345,7 @@ export class UserViewPage extends AKElement {
             </section>
             <section
                 slot="page-oauth-refresh"
-                data-tab-title="${t`OAuth Refresh Codes`}"
+                data-tab-title="${t`OAuth Refresh Tokens`}"
                 class="pf-c-page__main-section pf-m-no-padding-mobile"
             >
                 <div class="pf-c-card">

web/src/elements/oauth/UserRefreshList.ts

@@ -12,10 +12,10 @@ import { customElement, property } from "lit/decorators.js";
 
 import PFFlex from "@patternfly/patternfly/layouts/Flex/flex.css";
 
-import { ExpiringBaseGrantModel, Oauth2Api, RefreshTokenModel } from "@goauthentik/api";
+import { ExpiringBaseGrantModel, Oauth2Api, TokenModel } from "@goauthentik/api";
 
 @customElement("ak-user-oauth-refresh-list")
-export class UserOAuthRefreshList extends Table<RefreshTokenModel> {
+export class UserOAuthRefreshList extends Table<TokenModel> {
     expandable = true;
 
     @property({ type: Number })
@@ -25,7 +25,7 @@ export class UserOAuthRefreshList extends Table<RefreshTokenModel> {
         return super.styles.concat(PFFlex);
     }
 
-    async apiEndpoint(page: number): Promise<PaginatedResponse<RefreshTokenModel>> {
+    async apiEndpoint(page: number): Promise<PaginatedResponse<TokenModel>> {
         return new Oauth2Api(DEFAULT_CONFIG).oauth2RefreshTokensList({
             user: this.userId,
             ordering: "expires",
@@ -46,7 +46,7 @@ export class UserOAuthRefreshList extends Table<RefreshTokenModel> {
         ];
     }
 
-    renderExpanded(item: RefreshTokenModel): TemplateResult {
+    renderExpanded(item: TokenModel): TemplateResult {
         return html` <td role="cell" colspan="4">
                 <div class="pf-c-table__expandable-row-content">
                     <div class="pf-l-flex">
@@ -64,7 +64,7 @@ export class UserOAuthRefreshList extends Table<RefreshTokenModel> {
     renderToolbarSelected(): TemplateResult {
         const disabled = this.selectedElements.length < 1;
         return html`<ak-forms-delete-bulk
-            objectLabel=${t`Refresh Code(s)`}
+            objectLabel=${t`Refresh Tokens(s)`}
             .objects=${this.selectedElements}
             .usedBy=${(item: ExpiringBaseGrantModel) => {
                 return new Oauth2Api(DEFAULT_CONFIG).oauth2RefreshTokensUsedByList({
@@ -83,7 +83,7 @@ export class UserOAuthRefreshList extends Table<RefreshTokenModel> {
         </ak-forms-delete-bulk>`;
     }
 
-    row(item: RefreshTokenModel): TemplateResult[] {
+    row(item: TokenModel): TemplateResult[] {
         return [
             html`<a href="#/core/providers/${item.provider?.pk}"> ${item.provider?.name} </a>`,
             html`<ak-label color=${item.revoked ? PFColor.Orange : PFColor.Green}>