Skip to content

Authentik refresh - Fixes #6311 #6360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Authentik refresh - Fixes #6311 #6360

wants to merge 2 commits into from

Conversation

@Ajsmith1435
Copy link

@Ajsmith1435 Ajsmith1435 commented Oct 14, 2025

Fix SSO refresh with Authentik by always adopting the IdP’s rotated refresh token, preventing invalid_grant and premature re-login.

Changes
src/sso_client.rs: exchange_refresh_token always returns Some(current_refresh_token) (rotated if provided, else the one just used).
src/sso.rs: remove fallback to old token; pass the returned token directly to create_auth_tokens.

Why?
Authentik revokes the old refresh token on rotation; reusing it triggers invalid_grant. See

Testing
SSO with Authentik → let access token expire → refresh repeatedly. Expect no invalid_grant; rotated token adopted each cycle.

Refs
Fixes #6311

@Ajsmith1435
sso(authentik): always surface current provider refresh token from ex…
e16a242 
…change
@Ajsmith1435
Update sso.rs - sso(authentik): always adopt rotated provider refresh…
efa54a4 
… token to prevent invalid_grant

Ensures Vaultwarden immediately switches to the IdP’s latest provider refresh token after each refresh, preventing reuse of a revoked token and eliminating `invalid_grant` errors that prematurely log users out.
Timshel
Timshel reviewed Oct 21, 2025
View reviewed changes
src/sso_client.rs
let new_refresh = token_response
.refresh_token()
.map(|t| t.secret().clone())
.unwrap_or_else(|| rt.secret().clone());
Copy link
Contributor

@Timshel Timshel Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey
Not sure how this change anything since .unwrap_or_else(|| rt.secret().clone()) should be equivalent to new_refresh_token.or(Some(refresh_token)).

@Timshel
Copy link
Contributor

Timshel commented Oct 21, 2025

In the issue you mention Request to exchange_refresh_token endpoint failed is triggered as such the part of the method you modified will be short-circuited.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Timshel Timshel Timshel left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SSO: Authentik Refresh token not valid

2 participants

@Ajsmith1435 @Timshel