Provider token validity not updated in proxy outpost (filesystem) session store

[sch0sven]

Describe the bug

We are using a forward auth scenario with traefik.

When updating the token validity of a provider, the updated value is not reflected in the session store of a proxy outpost. This leads to unnecessary redirects.

To Reproduce
Steps to reproduce the behavior:

1. Go to a provider settings dialog and set the token duration to something other then the default of 1 minute, maybe 2 minutes
2. Access an app
3. Wait 2 minutes
4. Hit refresh
5. See authentication redirects

Expected behavior
Direct app access without any redirects for the duration of the set token validity.

Screenshots

As this is dynamic behavior it is hard to capture in screenshots.

Logs
Output of docker-compose logs or kubectl logs respectively

Version and Deployment (please complete the following information):

• authentik version: 2024.10.5 - but I checked the sources of newer versions and I do not think this is fixed.
• Deployment: ecs

Additional context

The problem can be resolved with a restart of the outpost.

I did some digging in the code, and I think this due to the gorilla FileSystemStore.
I think it is not updated, when the provider configuration changes.

I've seen the Refresh() method, it iterates over the providers, gets their config and calls new Application(provider, ...) for each:

		existing, ok := ps.apps[externalHost.Host]
		a, err := application.NewApplication(provider, hc, ps, existing)

But therein, the session store is being taken over from a previous configuration, and not reinitialized via getStore():

	if oldApp != nil && oldApp.sessions != nil {
		a.sessions = oldApp.sessions
	} else {
		sess, err := a.getStore(p, externalHost)
		if err != nil {
			return nil, err
		}
		a.sessions = sess
	}

And thus the store is not updated.