Description

Hi,

We are experiencing issues with OIDC authentication in Argo CD Web UI when using GitLab as the OIDC provider.

Summary

Even though refresh tokens are issued by the OIDC provider, Argo CD does not appear to use them. When the ID token expires, Argo CD restarts the full authorization_code flow instead of refreshing the token.

This causes frequent re-authentication and poor user experience, especially with short-lived tokens.

Environment

• Argo CD version: (e.g. v3.3.x)
• OIDC Provider: GitLab.com
• OIDC flow: authorization_code

Configuration

oidc.config: |
    name: GitLab
    issuer: https://gitlab.com
    clientID: xxxxxxx
    clientSecret: $oidc.gitlab.clientSecret
    requestedScopes: ["openid","profile","email"]
    refreshTokenThreshold: 60s

Observed behavior

• Login works correctly
• ID token expires quickly (~2 minutes from GitLab)

After expiration:

Argo CD logs show:

failed to verify provider token: oidc: token is expired

Instead of using a refresh token, Argo CD triggers a new:

authorization_code flow login

This results in repeated login redirects

Additional observations

• Refresh tokens are issued by the provider (verified via debug logs)
• refreshTokenThreshold does not change behavior
• Behavior is consistent across sessions

Similar issues reported in:

• Implement refresh tokens in ArgoCD Web UI #8325
• Argo CD UI getting logged out in 5 mins while integrated with keycloak #12189

Expected behavior

• Argo CD should use the refresh token to obtain a new access/ID token
• User session should continue without full re-authentication
• Full login should only happen when refresh token expires

Impact

• Frequent session interruptions
• Poor UX with short-lived tokens (e.g. GitLab ~2 min ID token)
• Not suitable for environments with strict token lifetimes

Question

Is this a known limitation of the Argo CD Web UI, or a bug in the refresh token handling?