/refresh endpoint does not accept second refresh tokens

[krille-chan]

Description

I hope that I don't understand the API wrong but as far as I can see Synapse behaves not correct, when using the /refresh endpoint to refresh the refresh&access tokens.
I'm not yet talking about using Matrix Native OIDC. But using MAS or not results in the same behavior as far as I can see. When claiming that the app supports refresh tokens by setting "refresh_token": true when using POST /client/v3/login the first request to /refresh works as expected, but the second always gets rejected and I don't see the reason for it.

Steps to reproduce

• Login with "refresh_token": true
• Refresh the tokens by using the POST /refresh endpoint
• Use the new access token for something like GET /sync so it gets activated
• Refresh the tokens with the new refresh token
  -> It fails

Homeserver

janian.de, matrix.org, any version

Synapse Version

1.143.0

Installation Method

Docker (matrixdotorg/synapse)

Database

PostgreSQL

Workers

Single process

Platform

Ubuntu 24.04 VM

Configuration

No response

Relevant log output

Login Response after logging in:

{
"access_token": "mct_blneWnwgmfBpVyNR6O6eHr7Xlf7LTJ_1kBgq3",
"device_id": "*******",
"user_id": "@*****:janian.de",
"refresh_token": "mcr_Q9TlHgaSKbQSVEf9aXnk2kH9rHGGfg_SVKDa3",
"expires_in_ms": 300000
}

First Refresh Response with:

mcr_Q9TlHgaSKbQSVEf9aXnk2kH9rHGGfg_SVKDa3

{
"access_token": "mct_aR2RFFqb3WAyTQFSeLbvqI06VNnIHa_ikdEF2",
"refresh_token": "mcr_xEe0TNy1kFgG066lbWdL2iKB4jIsfc_QsWmU4",
"expires_in_ms": 300000
}

Second failed Refresh Response with:

mcr_xEe0TNy1kFgG066lbWdL2iKB4jIsfc_QsWmU4

{"errcode":"M_UNKNOWN_TOKEN","error":"Invalid refresh token"}

[devonh]

Hmm. I tried reproducing this with a test but the test is passing. (tested with both sqlite & postgres)

    def test_second_refresh_after_using_access_token(self) -> None:
        """
        Test that a second refresh works after using the access token from the first refresh.
        """
        # Login with refresh_token=true
        body = {
            "type": "m.login.password",
            "user": "test",
            "password": self.user_pass,
            "refresh_token": True,
        }
        login_response = self.make_request(
            "POST",
            "/_matrix/client/v3/login",
            body,
        )
        self.assertEqual(login_response.code, HTTPStatus.OK, login_response.result)
        refresh_token_1 = login_response.json_body["refresh_token"]

        # First refresh
        first_refresh = self.make_request(
            "POST",
            "/_matrix/client/v3/refresh",
            {"refresh_token": refresh_token_1},
        )
        self.assertEqual(first_refresh.code, HTTPStatus.OK, first_refresh.result)
        refresh_token_2 = first_refresh.json_body["refresh_token"]
        access_token_2 = first_refresh.json_body["access_token"]

        # Use the access token from the first refresh
        whoami_response = self.make_request(
            "GET",
            "/_matrix/client/r0/account/whoami",
            access_token=access_token_2,
        )
        self.assertEqual(whoami_response.code, HTTPStatus.OK, whoami_response.result)

        # Second refresh - this should work
        second_refresh = self.make_request(
            "POST",
            "/_matrix/client/v3/refresh",
            {"refresh_token": refresh_token_2},
        )
        self.assertEqual(second_refresh.code, HTTPStatus.OK, second_refresh.result)
        self.assertIn("access_token", second_refresh.json_body)
        self.assertIn("refresh_token", second_refresh.json_body)

I also tried this manually using curl and it is working:

• /login
• /refresh
• /sync
• /refresh

How are you performing the test steps you mentioned? Are you doing them all manually with curl? Grabbing the access_token from a running client? etc.
As far as I can tell, Synapse should be handling this case as expected.
After an initial glance, the only issues I could see would be due to mixing up tokens somehow or there is some other process also calling /refresh that invalidates the tokens you are testing with.

[reivilibre]

Note: mct_ and mcr_ are compatibility tokens generated by MAS.
Synapse doesn't get involved in handling those tokens and the /refresh endpoint is supposed to be forwarded to MAS like in these docs: https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html#compatibility-layer

Your MAS logs will maybe be useful for explaining why the refresh token was considered invalid.

[krille-chan]

Sorry for the late answer as I'm currently in sick leave.

How are you performing the test steps you mentioned? Are you doing them all manually with curl? Grabbing the access_token from a running client? etc.

First by just implementing in FluffyChat and then reproduced it with Postman. Right now reproduced with Postman on my personal synapse, which is using MAS. Also had it with FluffyChat on matrix.org but because of SSO I had no easy way to reproduce the whole flow with login via curl.

Your MAS logs will maybe be useful for explaining why the refresh token was considered invalid.

The MAS logs are saying that the refresh token was already consumed:

Dec 11 12:24:01 ubuntu docker-compose[1911]: matrix-auth-service    | 2025-12-11T12:24:01.493246Z  INFO http.server.response POST-495752 - "POST /_matrix/client/v3/login HTTP/1.1" 200 OK "PostmanRuntime/7.49.1" [polls: 18, cpu: 1.6ms, elapsed: 43.1ms]
Dec 11 12:24:07 ubuntu docker-compose[1911]: matrix-auth-service    | 2025-12-11T12:24:07.391497Z  INFO http.server.response POST-495759 - "POST /_matrix/client/v3/refresh HTTP/1.1" 200 OK "PostmanRuntime/7.49.1" [polls: 10, cpu: 0.7ms, elapsed: 2.8ms]
Dec 11 12:24:09 ubuntu docker-compose[1911]: matrix-auth-service    | 2025-12-11T12:24:09.799979Z  INFO mas_handlers::activity_tracker::worker:246 Flushing 1 activity records to the database
Dec 11 12:24:13 ubuntu docker-compose[1911]: matrix-auth-service    | 2025-12-11T12:24:13.498025Z  WARN mas_handlers::compat::refresh:55 POST-495766 - refresh token already consumed 01KC6NWQYYVJJTRY6BCHGCBESR
Dec 11 12:24:13 ubuntu docker-compose[1911]: matrix-auth-service    | 2025-12-11T12:24:13.498061Z  WARN http.server.response POST-495766 - "POST /_matrix/client/v3/refresh HTTP/1.1" 401 Unauthorized "PostmanRuntim

You can see the first login, then the first refresh wich works, but then the second refresh always fails. While as mentioned above I'm using the refreshed refresh token from the first refresh for the second refresh correcly so I wonder why it does not work 🤔

[devonh]

No worries, hope you're feeling okay.

I'll make another attempt at reproducing this using MAS and see if I come up with anything.