SSO: Authentik Refresh token not valid #2394

Open
opened 2026-02-05 04:17:48 +03:00 by OVERLORD · 9 comments
Owner

Originally created by @samclark2015 on GitHub (Sep 22, 2025).

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.34.3-a2ad1dc7
  • Web-vault version: v2025.8.0
  • OS/Arch: linux/aarch64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.50.2
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Forwarded-For)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: false
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***********************",
  "domain_origin": "*****://***********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*******************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "************************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://************************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://****************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "****************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3-a2ad1dc7

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

traefik v3.1.2

Host/Server Operating System

Linux

Operating System Version

Ubuntu 25.04

Clients

Desktop, Browser Extension, Android

Client Version

Desktop - 2025.7.0, Firefox - 2025.8.2, Android - 2025.8.1

Steps To Reproduce

  1. Enable SSO with Authentik as detailed in the documentation.
  • Access code validity: minutes=1
  • Access Token validity: minutes=15
  • Refresh Token validity: days=90
  1. Use Vaultwarden as usual

Expected Result

Vaultwarden utilizes the refresh token provided by Authentik to keep session alive, exchanging after Access Token validity period for a new access token. User prompted for login after Refresh Token validity period.

Actual Result

User is prompted for SSO login anywhere from hours to a week after initial login.

Logs

Vaultwarden:
[2025-09-14 14:01:39.786][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-09-14 14:01:39.786][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })


Authentik:
{
    "token": {
        "pk": 89,
        "app": "authentik_providers_oauth2",
        "name": "Refresh Token for 2 for user 6",
        "model_name": "refreshtoken"
    },
    "message": "Revoked refresh token was used",
    "provider": {
        "pk": 2,
        "app": "authentik_providers_oauth2",
        "name": "Provider for Vaultwarden",
        "model_name": "oauth2provider"
    },
    "http_request": {
        "args": {},
        "path": "/application/o/token/",
        "method": "POST",
        "request_id": "<redacted>",
        "user_agent": ""
    }
}

Screenshots or Videos

No response

Additional Context

Using Authentik v2025.8.1, though appeared on earlier releases.

Originally created by @samclark2015 on GitHub (Sep 22, 2025). ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-a2ad1dc7 * Web-vault version: v2025.8.0 * OS/Arch: linux/aarch64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: false * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://***********************", "domain_origin": "*****://***********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*******************", "smtp_from_name": "Vaultwarden", "smtp_host": "********************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "************************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://************************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://****************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "****************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "email profile offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.34.3-a2ad1dc7 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy traefik v3.1.2 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 25.04 ### Clients Desktop, Browser Extension, Android ### Client Version Desktop - 2025.7.0, Firefox - 2025.8.2, Android - 2025.8.1 ### Steps To Reproduce 1. Enable SSO with Authentik as detailed in the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#authentik). - Access code validity: `minutes=1` - Access Token validity: `minutes=15` - Refresh Token validity: `days=90` 2. Use Vaultwarden as usual ### Expected Result Vaultwarden utilizes the refresh token provided by Authentik to keep session alive, exchanging after Access Token validity period for a new access token. User prompted for login after Refresh Token validity period. ### Actual Result User is prompted for SSO login anywhere from hours to a week after initial login. ### Logs ```text Vaultwarden: [2025-09-14 14:01:39.786][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-09-14 14:01:39.786][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) Authentik: { "token": { "pk": 89, "app": "authentik_providers_oauth2", "name": "Refresh Token for 2 for user 6", "model_name": "refreshtoken" }, "message": "Revoked refresh token was used", "provider": { "pk": 2, "app": "authentik_providers_oauth2", "name": "Provider for Vaultwarden", "model_name": "oauth2provider" }, "http_request": { "args": {}, "path": "/application/o/token/", "method": "POST", "request_id": "<redacted>", "user_agent": "" } } ``` ### Screenshots or Videos _No response_ ### Additional Context Using Authentik v2025.8.1, though appeared on earlier releases.
OVERLORD added the bugSSO labels 2026-02-05 04:17:48 +03:00
Author
Owner

@Timshel commented on GitHub (Oct 21, 2025):

Hey,
Sorry missed your issue.
This usually happened when two refresh_token calls are made at the same time.
If you can still reproduce can you check if it's the case ?

@Timshel commented on GitHub (Oct 21, 2025): Hey, Sorry missed your issue. This usually happened when two `refresh_token` calls are made at the same time. If you can still reproduce can you check if it's the case ?
Author
Owner

@samclark2015 commented on GitHub (Oct 22, 2025):

Thanks! I enabled SSO_AUTH_ONLY_NOT_SESSION which resolved things. I'd be
happy to disable and give some info, though.

What would be useful here? Authentik logs?

On Tue, Oct 21, 2025, 11:50 AM Timshel @.***> wrote:

Timshel left a comment (dani-garcia/vaultwarden#6311)
https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3427695993

Hey,
Sorry missed your issue.
This usually happened when two refresh_token calls are made at the same
time.
If you can still reproduce can you check if it's the case ?


Reply to this email directly, view it on GitHub
https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3427695993,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAMQEWZBG6WCHZNEQGAJEO33YZP5BAVCNFSM6AAAAACHFO6P4GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTIMRXGY4TKOJZGM
.
You are receiving this because you authored the thread.Message ID:
@.***>

@samclark2015 commented on GitHub (Oct 22, 2025): Thanks! I enabled `SSO_AUTH_ONLY_NOT_SESSION` which resolved things. I'd be happy to disable and give some info, though. What would be useful here? Authentik logs? On Tue, Oct 21, 2025, 11:50 AM Timshel ***@***.***> wrote: > *Timshel* left a comment (dani-garcia/vaultwarden#6311) > <https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3427695993> > > Hey, > Sorry missed your issue. > This usually happened when two refresh_token calls are made at the same > time. > If you can still reproduce can you check if it's the case ? > > — > Reply to this email directly, view it on GitHub > <https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3427695993>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAMQEWZBG6WCHZNEQGAJEO33YZP5BAVCNFSM6AAAAACHFO6P4GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTIMRXGY4TKOJZGM> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >
Author
Owner

@Timshel commented on GitHub (Oct 22, 2025):

More Vaultwarden server log before the issue is triggered might help :)

@Timshel commented on GitHub (Oct 22, 2025): More Vaultwarden server log before the issue is triggered might help :)
Author
Owner

@samclark2015 commented on GitHub (Oct 22, 2025):

Just toggled that setting & will report back with logs when it happens.

@samclark2015 commented on GitHub (Oct 22, 2025): Just toggled that setting & will report back with logs when it happens.
Author
Owner

@samclark2015 commented on GitHub (Oct 23, 2025):

Here is a longer log. Multiple clients authenticated in this span, so not sure how helpful this is to trace duplicate calls... Happy to provide any other info that would be useful!

[2025-10-22 22:23:38.203][request][INFO] POST /identity/connect/token
[2025-10-22 22:23:45.353][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-22 22:23:45.899][request][INFO] GET /notifications/hub?access_token=<redacted>
[2025-10-22 22:23:45.899][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 172.17.0.1
[2025-10-22 22:23:45.899][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2025-10-22 22:27:36.462][request][INFO] GET /api/config
[2025-10-22 22:27:36.462][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:32:43.576][request][INFO] GET /api/config
[2025-10-22 22:32:43.576][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:34:56.980][request][INFO] GET /api/config
[2025-10-22 22:34:56.981][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:42:05.131][request][INFO] GET /api/config
[2025-10-22 22:42:05.131][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:43:08.245][request][INFO] GET /api/config
[2025-10-22 22:43:08.245][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:45:53.123][request][INFO] GET /api/config
[2025-10-22 22:45:53.123][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:48:28.794][request][INFO] GET /api/config
[2025-10-22 22:48:28.794][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:58:44.778][request][INFO] GET /api/config
[2025-10-22 22:58:44.778][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:04:00.410][request][INFO] GET /api/config
[2025-10-22 23:04:00.411][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:08:37.151][request][INFO] GET /api/config
[2025-10-22 23:08:37.151][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:13:37.632][request][INFO] GET /api/config
[2025-10-22 23:13:37.633][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:40:34.141][request][INFO] GET /api/config
[2025-10-22 23:40:34.141][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:51:47.423][request][INFO] GET /api/config
[2025-10-22 23:51:47.423][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:54:16.289][vaultwarden::api::notifications][INFO] Closing WS connection from 172.17.0.1
[2025-10-22 23:58:29.123][request][INFO] POST /identity/connect/token
[2025-10-22 23:58:36.587][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-22 23:58:37.092][request][INFO] GET /notifications/hub?access_token=<redacted>
[2025-10-22 23:58:37.092][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 172.17.0.1
[2025-10-22 23:58:37.092][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2025-10-23 00:07:01.375][vaultwarden::api::notifications][INFO] Closing WS connection from 172.17.0.1
[2025-10-23 00:07:01.885][request][INFO] GET /api/config
[2025-10-23 00:07:01.885][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 00:07:01.886][request][INFO] POST /identity/connect/token
[2025-10-23 00:07:09.380][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-23 00:07:09.532][request][INFO] GET /api/sync?excludeDomains=true
[2025-10-23 00:07:09.577][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2025-10-23 00:22:31.939][request][INFO] POST /identity/connect/token
[2025-10-23 00:22:39.173][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-23 00:22:39.299][request][INFO] GET /api/sync?excludeDomains=true
[2025-10-23 00:22:39.341][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2025-10-23 00:33:07.870][request][INFO] GET /api/config
[2025-10-23 00:33:07.870][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 00:38:38.169][request][INFO] GET /api/config
[2025-10-23 00:38:38.169][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 00:46:34.358][request][INFO] GET /api/config
[2025-10-23 00:46:34.358][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 03:34:24.331][request][INFO] GET /api/config
[2025-10-23 03:34:24.331][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 03:55:04.179][request][INFO] GET /api/config
[2025-10-23 03:55:04.179][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 06:52:40.602][request][INFO] POST /identity/connect/token
[2025-10-23 06:52:48.281][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-23 08:01:05.337][request][INFO] POST /identity/connect/token
[2025-10-23 08:01:10.431][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:01:10.431][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:01:10.431][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 08:33:02.418][request][INFO] POST /identity/connect/token
[2025-10-23 08:33:07.584][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:33:07.584][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:33:07.584][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 08:49:57.286][request][INFO] POST /identity/connect/token
[2025-10-23 08:50:02.333][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:50:02.333][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:50:02.333][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 09:02:37.420][request][INFO] GET /api/config
[2025-10-23 09:02:37.420][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 09:27:32.427][request][INFO] POST /identity/connect/token
[2025-10-23 09:27:37.337][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 09:27:37.337][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 09:27:37.337][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 10:02:05.245][request][INFO] POST /identity/connect/token
[2025-10-23 10:02:10.366][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 10:02:10.367][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 10:02:10.367][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 10:54:59.161][request][INFO] POST /identity/connect/token
[2025-10-23 10:55:04.236][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 10:55:04.237][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 10:55:04.237][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 11:12:22.196][request][INFO] POST /identity/connect/token
[2025-10-23 11:12:27.178][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 11:12:27.178][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 11:12:27.178][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 11:56:05.175][request][INFO] POST /identity/connect/token
[2025-10-23 11:56:10.265][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 11:56:10.265][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 11:56:10.265][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 12:26:05.232][request][INFO] POST /identity/connect/token
[2025-10-23 12:26:10.912][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 12:26:10.912][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 12:26:10.912][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 12:26:12.046][request][INFO] GET /api/config
[2025-10-23 12:26:12.047][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 12:26:12.052][request][INFO] GET /api/devices/knowndevice
[2025-10-23 12:26:12.053][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
@samclark2015 commented on GitHub (Oct 23, 2025): Here is a longer log. Multiple clients authenticated in this span, so not sure how helpful this is to trace duplicate calls... Happy to provide any other info that would be useful! ``` [2025-10-22 22:23:38.203][request][INFO] POST /identity/connect/token [2025-10-22 22:23:45.353][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-22 22:23:45.899][request][INFO] GET /notifications/hub?access_token=<redacted> [2025-10-22 22:23:45.899][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 172.17.0.1 [2025-10-22 22:23:45.899][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2025-10-22 22:27:36.462][request][INFO] GET /api/config [2025-10-22 22:27:36.462][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:32:43.576][request][INFO] GET /api/config [2025-10-22 22:32:43.576][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:34:56.980][request][INFO] GET /api/config [2025-10-22 22:34:56.981][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:42:05.131][request][INFO] GET /api/config [2025-10-22 22:42:05.131][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:43:08.245][request][INFO] GET /api/config [2025-10-22 22:43:08.245][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:45:53.123][request][INFO] GET /api/config [2025-10-22 22:45:53.123][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:48:28.794][request][INFO] GET /api/config [2025-10-22 22:48:28.794][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:58:44.778][request][INFO] GET /api/config [2025-10-22 22:58:44.778][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:04:00.410][request][INFO] GET /api/config [2025-10-22 23:04:00.411][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:08:37.151][request][INFO] GET /api/config [2025-10-22 23:08:37.151][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:13:37.632][request][INFO] GET /api/config [2025-10-22 23:13:37.633][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:40:34.141][request][INFO] GET /api/config [2025-10-22 23:40:34.141][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:51:47.423][request][INFO] GET /api/config [2025-10-22 23:51:47.423][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:54:16.289][vaultwarden::api::notifications][INFO] Closing WS connection from 172.17.0.1 [2025-10-22 23:58:29.123][request][INFO] POST /identity/connect/token [2025-10-22 23:58:36.587][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-22 23:58:37.092][request][INFO] GET /notifications/hub?access_token=<redacted> [2025-10-22 23:58:37.092][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 172.17.0.1 [2025-10-22 23:58:37.092][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2025-10-23 00:07:01.375][vaultwarden::api::notifications][INFO] Closing WS connection from 172.17.0.1 [2025-10-23 00:07:01.885][request][INFO] GET /api/config [2025-10-23 00:07:01.885][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 00:07:01.886][request][INFO] POST /identity/connect/token [2025-10-23 00:07:09.380][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-23 00:07:09.532][request][INFO] GET /api/sync?excludeDomains=true [2025-10-23 00:07:09.577][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-10-23 00:22:31.939][request][INFO] POST /identity/connect/token [2025-10-23 00:22:39.173][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-23 00:22:39.299][request][INFO] GET /api/sync?excludeDomains=true [2025-10-23 00:22:39.341][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-10-23 00:33:07.870][request][INFO] GET /api/config [2025-10-23 00:33:07.870][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 00:38:38.169][request][INFO] GET /api/config [2025-10-23 00:38:38.169][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 00:46:34.358][request][INFO] GET /api/config [2025-10-23 00:46:34.358][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 03:34:24.331][request][INFO] GET /api/config [2025-10-23 03:34:24.331][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 03:55:04.179][request][INFO] GET /api/config [2025-10-23 03:55:04.179][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 06:52:40.602][request][INFO] POST /identity/connect/token [2025-10-23 06:52:48.281][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-23 08:01:05.337][request][INFO] POST /identity/connect/token [2025-10-23 08:01:10.431][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:01:10.431][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:01:10.431][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 08:33:02.418][request][INFO] POST /identity/connect/token [2025-10-23 08:33:07.584][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:33:07.584][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:33:07.584][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 08:49:57.286][request][INFO] POST /identity/connect/token [2025-10-23 08:50:02.333][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:50:02.333][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:50:02.333][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 09:02:37.420][request][INFO] GET /api/config [2025-10-23 09:02:37.420][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 09:27:32.427][request][INFO] POST /identity/connect/token [2025-10-23 09:27:37.337][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 09:27:37.337][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 09:27:37.337][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 10:02:05.245][request][INFO] POST /identity/connect/token [2025-10-23 10:02:10.366][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 10:02:10.367][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 10:02:10.367][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 10:54:59.161][request][INFO] POST /identity/connect/token [2025-10-23 10:55:04.236][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 10:55:04.237][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 10:55:04.237][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 11:12:22.196][request][INFO] POST /identity/connect/token [2025-10-23 11:12:27.178][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 11:12:27.178][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 11:12:27.178][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 11:56:05.175][request][INFO] POST /identity/connect/token [2025-10-23 11:56:10.265][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 11:56:10.265][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 11:56:10.265][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 12:26:05.232][request][INFO] POST /identity/connect/token [2025-10-23 12:26:10.912][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 12:26:10.912][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 12:26:10.912][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 12:26:12.046][request][INFO] GET /api/config [2025-10-23 12:26:12.047][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 12:26:12.052][request][INFO] GET /api/devices/knowndevice [2025-10-23 12:26:12.053][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK ```
Author
Owner

@Timshel commented on GitHub (Oct 27, 2025):

Hey,
So it does not look like the use case I was speaking of, since it used to manifest with two almost simultaneous POST /identity/connect/token with only one of the two working.

With a 90days refresh token validity I'm not sure what could be the source of the error :(.
Would you have a way to track in Authentik when the token was revoked ?

@Timshel commented on GitHub (Oct 27, 2025): Hey, So it does not look like the use case I was speaking of, since it used to manifest with two almost simultaneous `POST /identity/connect/token` with only one of the two working. With a 90days refresh token validity I'm not sure what could be the source of the error :(. Would you have a way to track in Authentik when the token was revoked ?
Author
Owner

@controlaltnerd commented on GitHub (Nov 12, 2025):

I seem to be having a similar issue. In my case, I'm getting the error [ERROR] Unable to refresh login credentials: Access token is close to expiration but we have no refresh token. I have access token expiration set to 10 minutes, and after I've logged in to Vaultwarden on either the web or through the Chrome extension, about 10 minutes later both will sign me out and the error will be logged.

Refresh token lifespan is set to 30 days, and I am able to verify that the refresh token is actually being passed from Authentik to the web frontend so my best guess at the moment is that somehow the access token is being used in place of the refresh token, which would suggest Vaultwarden is attempting to authenticate again rather than refresh. I could eliminate session handling and restrict it to authentication only, but I'm unsure of what the result would be. Would the session just persist for the duration of the Authentik login session?

@controlaltnerd commented on GitHub (Nov 12, 2025): I seem to be having a similar issue. In my case, I'm getting the error `[ERROR] Unable to refresh login credentials: Access token is close to expiration but we have no refresh token`. I have access token expiration set to 10 minutes, and after I've logged in to Vaultwarden on either the web or through the Chrome extension, about 10 minutes later both will sign me out and the error will be logged. Refresh token lifespan is set to 30 days, and I am able to verify that the refresh token is actually being passed from Authentik to the web frontend so my best guess at the moment is that somehow the access token is being used in place of the refresh token, which would suggest Vaultwarden is attempting to authenticate again rather than refresh. I could eliminate session handling and restrict it to authentication only, but I'm unsure of what the result would be. Would the session just persist for the duration of the Authentik login session?
Author
Owner

@0xmillennium commented on GitHub (Jan 21, 2026):

@Timshel You mentioned earlier that this invalid_grant loop might be caused by two refresh_token calls happening at the same time. I am experiencing a specific issue with OIDC (Authelia) where the session is killed exactly at the 1-hour mark (access token expiration) due to a race condition in the refresh flow.

Environment:

Server: Vaultwarden (Docker)

OIDC Provider: Authelia

Client: Bitwarden Browser Extension (Desktop/Mobile apps work fine)

Auth Method: client_secret_basic (since Vaultwarden does not seem to support client_secret_post yet)

The Issue:

I am encountering a session termination issue with the Bitwarden Browser Extension when using OIDC (Authelia). The logs confirm that the client is firing two identical refresh requests at the exact same millisecond.

  1. Request A is processed successfully (Token A \rightarrow Token B).
  2. Request B (processed milliseconds later) tries to use Token A again.
  3. Authelia detects "Token Reuse," assumes theft, and revokes the entire token family.
  4. The session is immediately killed (invalid_grant).

Logs:

Notice the timestamp 04:25:20.652. Two POST requests are initiated simultaneously.

vaultwarden  | [2026-01-21 04:25:10.972][request][INFO] GET /api/config
vaultwarden  | [2026-01-21 04:25:10.972][response][INFO] (config) GET /api/config => 200 OK
# --- THE RACE CONDITION STARTS HERE ---
vaultwarden  | [2026-01-21 04:25:20.652][request][INFO] POST /identity/connect/token  <-- Request #1
vaultwarden  | [2026-01-21 04:25:20.652][request][INFO] POST /identity/connect/token  <-- Request #2 (DUPLICATE at exact same ms)
# --------------------------------------
vaultwarden  | [2026-01-21 04:25:21.335][response][INFO] (login) POST /identity/connect/token => 200 OK  <-- Success (Token Rotated)
vaultwarden  | [2026-01-21 04:25:21.397][request][INFO] GET /api/config
vaultwarden  | [2026-01-21 04:25:21.397][response][INFO] (config) GET /api/config => 200 OK
# --- THE FAILURE ---
vaultwarden  | [2026-01-21 04:25:21.633][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant... or refresh token is invalid..."), error_uri: None })
vaultwarden  | [2026-01-21 04:25:21.633][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed
vaultwarden  | [2026-01-21 04:25:21.633][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized  <-- Session Killed due to reuse
# -------------------
vaultwarden  | [2026-01-21 04:25:21.744][request][INFO] GET /api/devices/knowndevice
vaultwarden  | [2026-01-21 04:25:21.746][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden  | [2026-01-21 04:25:22.055][request][INFO] GET /api/config
vaultwarden  | [2026-01-21 04:25:22.055][response][INFO] (config) GET /api/config => 200 OK
vaultwarden  | [2026-01-21 04:25:22.056][request][INFO] POST /identity/connect/token
vaultwarden  | [2026-01-21 04:25:22.453][response][INFO] (login) POST /identity/connect/token => 200 OK
vaultwarden  | [2026-01-21 04:25:22.595][request][INFO] GET /api/sync?excludeDomains=true
vaultwarden  | [2026-01-21 04:25:22.632][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
vaultwarden  | [2026-01-21 04:25:27.317][request][INFO] GET /api/devices/knowndevice
vaultwarden  | [2026-01-21 04:25:27.319][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK

Consistency & Impact: This issue happens every single time the token expiration is reached (100% reproducible). It is not an intermittent glitch.

  • The browser extension suffers a hard logout exactly when the access token expires (default 1 hour).
  • The silent refresh fails due to the 401 error, and the user is forced to manually re-authenticate via SSO. The extension acts as if the session is completely invalid.

Important Note: I do not want to use the workaround of setting extremely long Access Token lifespans (e.g. 30 days) to simply bypass the refresh loop. I aim to maintain secure, short-lived tokens with proper SSO management. Therefore, fixing this race condition/debounce issue is critical for my use case.

Is there a workaround to lock the refresh process or debounce these calls within Vaultwarden?

@0xmillennium commented on GitHub (Jan 21, 2026): @Timshel You mentioned earlier that this `invalid_grant` loop might be caused by two refresh_token calls happening at the same time. I am experiencing a specific issue with OIDC (Authelia) where the session is killed exactly at the 1-hour mark (access token expiration) due to a race condition in the refresh flow. ### Environment: **Server:** Vaultwarden (Docker) **OIDC Provider:** Authelia **Client:** Bitwarden Browser Extension (Desktop/Mobile apps work fine) **Auth Method:** `client_secret_basic` (since Vaultwarden does not seem to support `client_secret_post` yet) ### The Issue: I am encountering a session termination issue with the Bitwarden Browser Extension when using OIDC (Authelia). The logs confirm that the client is firing two identical refresh requests at the exact same millisecond. 1. **Request A** is processed successfully (Token A $\rightarrow$ Token B). 2. **Request B** (processed milliseconds later) tries to use Token A again. 3. Authelia detects "Token Reuse," assumes theft, and revokes the entire token family. 4. The session is immediately killed (`invalid_grant`). ### Logs: Notice the timestamp 04:25:20.652. Two POST requests are initiated simultaneously. ``` vaultwarden | [2026-01-21 04:25:10.972][request][INFO] GET /api/config vaultwarden | [2026-01-21 04:25:10.972][response][INFO] (config) GET /api/config => 200 OK # --- THE RACE CONDITION STARTS HERE --- vaultwarden | [2026-01-21 04:25:20.652][request][INFO] POST /identity/connect/token <-- Request #1 vaultwarden | [2026-01-21 04:25:20.652][request][INFO] POST /identity/connect/token <-- Request #2 (DUPLICATE at exact same ms) # -------------------------------------- vaultwarden | [2026-01-21 04:25:21.335][response][INFO] (login) POST /identity/connect/token => 200 OK <-- Success (Token Rotated) vaultwarden | [2026-01-21 04:25:21.397][request][INFO] GET /api/config vaultwarden | [2026-01-21 04:25:21.397][response][INFO] (config) GET /api/config => 200 OK # --- THE FAILURE --- vaultwarden | [2026-01-21 04:25:21.633][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant... or refresh token is invalid..."), error_uri: None }) vaultwarden | [2026-01-21 04:25:21.633][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed vaultwarden | [2026-01-21 04:25:21.633][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized <-- Session Killed due to reuse # ------------------- vaultwarden | [2026-01-21 04:25:21.744][request][INFO] GET /api/devices/knowndevice vaultwarden | [2026-01-21 04:25:21.746][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK vaultwarden | [2026-01-21 04:25:22.055][request][INFO] GET /api/config vaultwarden | [2026-01-21 04:25:22.055][response][INFO] (config) GET /api/config => 200 OK vaultwarden | [2026-01-21 04:25:22.056][request][INFO] POST /identity/connect/token vaultwarden | [2026-01-21 04:25:22.453][response][INFO] (login) POST /identity/connect/token => 200 OK vaultwarden | [2026-01-21 04:25:22.595][request][INFO] GET /api/sync?excludeDomains=true vaultwarden | [2026-01-21 04:25:22.632][response][INFO] (sync) GET /api/sync?<data..> => 200 OK vaultwarden | [2026-01-21 04:25:27.317][request][INFO] GET /api/devices/knowndevice vaultwarden | [2026-01-21 04:25:27.319][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK ``` **Consistency & Impact:** This issue happens every single time the token expiration is reached (100% reproducible). It is not an intermittent glitch. - The browser extension suffers a hard logout exactly when the access token expires (default 1 hour). - The silent refresh fails due to the 401 error, and the user is forced to manually re-authenticate via SSO. The extension acts as if the session is completely invalid. **Important Note:** I do not want to use the workaround of setting extremely long Access Token lifespans (e.g. 30 days) to simply bypass the refresh loop. I aim to maintain secure, short-lived tokens with proper SSO management. Therefore, fixing this race condition/debounce issue is critical for my use case. Is there a workaround to lock the refresh process or debounce these calls within Vaultwarden?
Author
Owner

@Timshel commented on GitHub (Jan 28, 2026):

@0xmillennium Hey not sure why it's happening only with the browser extension. It should share the same code as the desktop/web app :(.
I contributed a fix (https://github.com/bitwarden/clients/pull/10799) last year which should prevent the issue :(.
I'll try to have a look to see if I can find something.

@Timshel commented on GitHub (Jan 28, 2026): @0xmillennium Hey not sure why it's happening only with the browser extension. It should share the same code as the desktop/web app :(. I contributed a fix (https://github.com/bitwarden/clients/pull/10799) last year which should prevent the issue :(. I'll try to have a look to see if I can find something.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#2394