mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-16 05:34:10 +03:00
[PR #6433] Make JWT token refresh optional #3743
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/dani-garcia/vaultwarden/pull/6433
Author: @Momi-V
Created: 11/3/2025
Status: 🔄 Open
Base:
main← Head:auth-renew📝 Commits (10+)
f902632Add option to disable refresh token renewalf28316bAdd logic to make token renew optionalc359c8bAdd Clone trait to TokenWrapper enum85cbfbaReuse original claims struct for refresh token renewalf77109bpass original refresh_claim into renewal function16df972Pass correct typeeea7d1eAdd optional parameter existing_refresh_claims to AuthTokens8c83948Add optional parameter existing_refresh_claims to AuthTokens8b82eadAdd Clone trait to RefreshJwtClaims struct0acc952Clone refresh_claims.sub📊 Changes
4 files changed (+20 additions, -9 deletions)
View changed files
📝
src/api/identity.rs(+1 -1)📝
src/auth.rs(+13 -6)📝
src/config.rs(+4 -0)📝
src/sso.rs(+2 -2)📄 Description
This implements a config option
disable_refresh_token_renewal, that doesn't do refresh token renewal unless a full auth is performed.Goal:
Only renew the JWT token that allows PIN unlock, bypassing 2FA, etc. if a "full authentication" is performed. This makes things like "require 2FA once every 30/90 days" possible
Rationale:
Currently it's only possible to require periodic reauthentication by setting clients to log-out instead of lock. This is inconvenient since it breaks PIN, offline functionality and requires full reauthentication for every unlock. The current lock behavior on the other hand only requires reauth if a client hasn't connected in 30/90 days, since the token is renewed even on a reduced login that used that same token. This means it effectively never expires, if the client just uses it's existing token more than once a month.
Logic:
If the new option is
falsethe old logic is used (always renew the token). If a normal Password/SSO login is performed the old logic is used.If the option is
truethe JWT isn't renewed in the_refresh_logincode path, leaving it to expire and force a full auth after 30/90 daysCode:
Having
refresh_claims.sub.clone()andSome(&refresh_claims)in the same call isn't amazing, but seems like the simplest way to implement this logic without a refactor to overloadAuthToken::newinto 2 separate, yet almost identical functions.Progress:
Compiled and running, but not yet tested to actually behave as expected (currently ongoing).
Feedback welcome
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.