SSO: Authentik Refresh token not valid #2399

New issue

Open

opened 2026-02-20 08:17:30 -05:00 by deekerman · 16 comments

deekerman commented 2026-02-20 08:17:30 -05:00

Owner

Copy link

Originally created by @samclark2015 on GitHub (Sep 22, 2025).

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3-a2ad1dc7
• Web-vault version: v2025.8.0
• OS/Arch: linux/aarch64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: false
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***********************",
  "domain_origin": "*****://***********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*******************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "************************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://************************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://****************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "****************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3-a2ad1dc7

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

traefik v3.1.2

Host/Server Operating System

Linux

Operating System Version

Ubuntu 25.04

Clients

Desktop, Browser Extension, Android

Client Version

Desktop - 2025.7.0, Firefox - 2025.8.2, Android - 2025.8.1

Steps To Reproduce

1. Enable SSO with Authentik as detailed in the documentation.

• Access code validity: minutes=1
• Access Token validity: minutes=15
• Refresh Token validity: days=90

2. Use Vaultwarden as usual

Expected Result

Vaultwarden utilizes the refresh token provided by Authentik to keep session alive, exchanging after Access Token validity period for a new access token. User prompted for login after Refresh Token validity period.

Actual Result

User is prompted for SSO login anywhere from hours to a week after initial login.

Logs

Vaultwarden:
[2025-09-14 14:01:39.786][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-09-14 14:01:39.786][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })


Authentik:
{
    "token": {
        "pk": 89,
        "app": "authentik_providers_oauth2",
        "name": "Refresh Token for 2 for user 6",
        "model_name": "refreshtoken"
    },
    "message": "Revoked refresh token was used",
    "provider": {
        "pk": 2,
        "app": "authentik_providers_oauth2",
        "name": "Provider for Vaultwarden",
        "model_name": "oauth2provider"
    },
    "http_request": {
        "args": {},
        "path": "/application/o/token/",
        "method": "POST",
        "request_id": "<redacted>",
        "user_agent": ""
    }
}

Screenshots or Videos

No response

Additional Context

Using Authentik v2025.8.1, though appeared on earlier releases.

Originally created by @samclark2015 on GitHub (Sep 22, 2025). ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-a2ad1dc7 * Web-vault version: v2025.8.0 * OS/Arch: linux/aarch64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: false * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://***********************", "domain_origin": "*****://***********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*******************", "smtp_from_name": "Vaultwarden", "smtp_host": "********************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "************************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://************************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://****************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "****************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "email profile offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.34.3-a2ad1dc7 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy traefik v3.1.2 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 25.04 ### Clients Desktop, Browser Extension, Android ### Client Version Desktop - 2025.7.0, Firefox - 2025.8.2, Android - 2025.8.1 ### Steps To Reproduce 1. Enable SSO with Authentik as detailed in the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#authentik). - Access code validity: `minutes=1` - Access Token validity: `minutes=15` - Refresh Token validity: `days=90` 2. Use Vaultwarden as usual ### Expected Result Vaultwarden utilizes the refresh token provided by Authentik to keep session alive, exchanging after Access Token validity period for a new access token. User prompted for login after Refresh Token validity period. ### Actual Result User is prompted for SSO login anywhere from hours to a week after initial login. ### Logs ```text Vaultwarden: [2025-09-14 14:01:39.786][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-09-14 14:01:39.786][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) Authentik: { "token": { "pk": 89, "app": "authentik_providers_oauth2", "name": "Refresh Token for 2 for user 6", "model_name": "refreshtoken" }, "message": "Revoked refresh token was used", "provider": { "pk": 2, "app": "authentik_providers_oauth2", "name": "Provider for Vaultwarden", "model_name": "oauth2provider" }, "http_request": { "args": {}, "path": "/application/o/token/", "method": "POST", "request_id": "<redacted>", "user_agent": "" } } ``` ### Screenshots or Videos _No response_ ### Additional Context Using Authentik v2025.8.1, though appeared on earlier releases.

deekerman added the

bug

SSO

labels 2026-02-20 08:17:30 -05:00

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@Timshel commented on GitHub (Oct 21, 2025):

Hey,
Sorry missed your issue.
This usually happened when two refresh_token calls are made at the same time.
If you can still reproduce can you check if it's the case ?

@Timshel commented on GitHub (Oct 21, 2025): Hey, Sorry missed your issue. This usually happened when two `refresh_token` calls are made at the same time. If you can still reproduce can you check if it's the case ?

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@samclark2015 commented on GitHub (Oct 22, 2025):

Thanks! I enabled SSO_AUTH_ONLY_NOT_SESSION which resolved things. I'd be
happy to disable and give some info, though.

What would be useful here? Authentik logs?

On Tue, Oct 21, 2025, 11:50 AM Timshel @.***> wrote:

Timshel left a comment (dani-garcia/vaultwarden#6311)
https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3427695993

Hey,
Sorry missed your issue.
This usually happened when two refresh_token calls are made at the same
time.
If you can still reproduce can you check if it's the case ?

—
Reply to this email directly, view it on GitHub
https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3427695993,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAMQEWZBG6WCHZNEQGAJEO33YZP5BAVCNFSM6AAAAACHFO6P4GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTIMRXGY4TKOJZGM
.
You are receiving this because you authored the thread.Message ID:
@.***>

@samclark2015 commented on GitHub (Oct 22, 2025): Thanks! I enabled `SSO_AUTH_ONLY_NOT_SESSION` which resolved things. I'd be happy to disable and give some info, though. What would be useful here? Authentik logs? On Tue, Oct 21, 2025, 11:50 AM Timshel ***@***.***> wrote: > *Timshel* left a comment (dani-garcia/vaultwarden#6311) > <https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3427695993> > > Hey, > Sorry missed your issue. > This usually happened when two refresh_token calls are made at the same > time. > If you can still reproduce can you check if it's the case ? > > — > Reply to this email directly, view it on GitHub > <https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3427695993>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAMQEWZBG6WCHZNEQGAJEO33YZP5BAVCNFSM6AAAAACHFO6P4GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTIMRXGY4TKOJZGM> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@Timshel commented on GitHub (Oct 22, 2025):

More Vaultwarden server log before the issue is triggered might help :)

@Timshel commented on GitHub (Oct 22, 2025): More Vaultwarden server log before the issue is triggered might help :)

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@samclark2015 commented on GitHub (Oct 22, 2025):

Just toggled that setting & will report back with logs when it happens.

@samclark2015 commented on GitHub (Oct 22, 2025): Just toggled that setting & will report back with logs when it happens.

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@samclark2015 commented on GitHub (Oct 23, 2025):

Here is a longer log. Multiple clients authenticated in this span, so not sure how helpful this is to trace duplicate calls... Happy to provide any other info that would be useful!

[2025-10-22 22:23:38.203][request][INFO] POST /identity/connect/token
[2025-10-22 22:23:45.353][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-22 22:23:45.899][request][INFO] GET /notifications/hub?access_token=<redacted>
[2025-10-22 22:23:45.899][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 172.17.0.1
[2025-10-22 22:23:45.899][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2025-10-22 22:27:36.462][request][INFO] GET /api/config
[2025-10-22 22:27:36.462][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:32:43.576][request][INFO] GET /api/config
[2025-10-22 22:32:43.576][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:34:56.980][request][INFO] GET /api/config
[2025-10-22 22:34:56.981][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:42:05.131][request][INFO] GET /api/config
[2025-10-22 22:42:05.131][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:43:08.245][request][INFO] GET /api/config
[2025-10-22 22:43:08.245][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:45:53.123][request][INFO] GET /api/config
[2025-10-22 22:45:53.123][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:48:28.794][request][INFO] GET /api/config
[2025-10-22 22:48:28.794][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:58:44.778][request][INFO] GET /api/config
[2025-10-22 22:58:44.778][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:04:00.410][request][INFO] GET /api/config
[2025-10-22 23:04:00.411][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:08:37.151][request][INFO] GET /api/config
[2025-10-22 23:08:37.151][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:13:37.632][request][INFO] GET /api/config
[2025-10-22 23:13:37.633][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:40:34.141][request][INFO] GET /api/config
[2025-10-22 23:40:34.141][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:51:47.423][request][INFO] GET /api/config
[2025-10-22 23:51:47.423][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:54:16.289][vaultwarden::api::notifications][INFO] Closing WS connection from 172.17.0.1
[2025-10-22 23:58:29.123][request][INFO] POST /identity/connect/token
[2025-10-22 23:58:36.587][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-22 23:58:37.092][request][INFO] GET /notifications/hub?access_token=<redacted>
[2025-10-22 23:58:37.092][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 172.17.0.1
[2025-10-22 23:58:37.092][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2025-10-23 00:07:01.375][vaultwarden::api::notifications][INFO] Closing WS connection from 172.17.0.1
[2025-10-23 00:07:01.885][request][INFO] GET /api/config
[2025-10-23 00:07:01.885][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 00:07:01.886][request][INFO] POST /identity/connect/token
[2025-10-23 00:07:09.380][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-23 00:07:09.532][request][INFO] GET /api/sync?excludeDomains=true
[2025-10-23 00:07:09.577][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2025-10-23 00:22:31.939][request][INFO] POST /identity/connect/token
[2025-10-23 00:22:39.173][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-23 00:22:39.299][request][INFO] GET /api/sync?excludeDomains=true
[2025-10-23 00:22:39.341][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2025-10-23 00:33:07.870][request][INFO] GET /api/config
[2025-10-23 00:33:07.870][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 00:38:38.169][request][INFO] GET /api/config
[2025-10-23 00:38:38.169][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 00:46:34.358][request][INFO] GET /api/config
[2025-10-23 00:46:34.358][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 03:34:24.331][request][INFO] GET /api/config
[2025-10-23 03:34:24.331][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 03:55:04.179][request][INFO] GET /api/config
[2025-10-23 03:55:04.179][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 06:52:40.602][request][INFO] POST /identity/connect/token
[2025-10-23 06:52:48.281][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-23 08:01:05.337][request][INFO] POST /identity/connect/token
[2025-10-23 08:01:10.431][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:01:10.431][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:01:10.431][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 08:33:02.418][request][INFO] POST /identity/connect/token
[2025-10-23 08:33:07.584][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:33:07.584][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:33:07.584][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 08:49:57.286][request][INFO] POST /identity/connect/token
[2025-10-23 08:50:02.333][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:50:02.333][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:50:02.333][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 09:02:37.420][request][INFO] GET /api/config
[2025-10-23 09:02:37.420][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 09:27:32.427][request][INFO] POST /identity/connect/token
[2025-10-23 09:27:37.337][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 09:27:37.337][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 09:27:37.337][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 10:02:05.245][request][INFO] POST /identity/connect/token
[2025-10-23 10:02:10.366][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 10:02:10.367][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 10:02:10.367][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 10:54:59.161][request][INFO] POST /identity/connect/token
[2025-10-23 10:55:04.236][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 10:55:04.237][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 10:55:04.237][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 11:12:22.196][request][INFO] POST /identity/connect/token
[2025-10-23 11:12:27.178][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 11:12:27.178][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 11:12:27.178][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 11:56:05.175][request][INFO] POST /identity/connect/token
[2025-10-23 11:56:10.265][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 11:56:10.265][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 11:56:10.265][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 12:26:05.232][request][INFO] POST /identity/connect/token
[2025-10-23 12:26:10.912][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 12:26:10.912][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 12:26:10.912][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 12:26:12.046][request][INFO] GET /api/config
[2025-10-23 12:26:12.047][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 12:26:12.052][request][INFO] GET /api/devices/knowndevice
[2025-10-23 12:26:12.053][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK

@samclark2015 commented on GitHub (Oct 23, 2025): Here is a longer log. Multiple clients authenticated in this span, so not sure how helpful this is to trace duplicate calls... Happy to provide any other info that would be useful! ``` [2025-10-22 22:23:38.203][request][INFO] POST /identity/connect/token [2025-10-22 22:23:45.353][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-22 22:23:45.899][request][INFO] GET /notifications/hub?access_token=<redacted> [2025-10-22 22:23:45.899][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 172.17.0.1 [2025-10-22 22:23:45.899][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2025-10-22 22:27:36.462][request][INFO] GET /api/config [2025-10-22 22:27:36.462][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:32:43.576][request][INFO] GET /api/config [2025-10-22 22:32:43.576][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:34:56.980][request][INFO] GET /api/config [2025-10-22 22:34:56.981][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:42:05.131][request][INFO] GET /api/config [2025-10-22 22:42:05.131][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:43:08.245][request][INFO] GET /api/config [2025-10-22 22:43:08.245][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:45:53.123][request][INFO] GET /api/config [2025-10-22 22:45:53.123][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:48:28.794][request][INFO] GET /api/config [2025-10-22 22:48:28.794][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:58:44.778][request][INFO] GET /api/config [2025-10-22 22:58:44.778][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:04:00.410][request][INFO] GET /api/config [2025-10-22 23:04:00.411][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:08:37.151][request][INFO] GET /api/config [2025-10-22 23:08:37.151][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:13:37.632][request][INFO] GET /api/config [2025-10-22 23:13:37.633][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:40:34.141][request][INFO] GET /api/config [2025-10-22 23:40:34.141][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:51:47.423][request][INFO] GET /api/config [2025-10-22 23:51:47.423][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:54:16.289][vaultwarden::api::notifications][INFO] Closing WS connection from 172.17.0.1 [2025-10-22 23:58:29.123][request][INFO] POST /identity/connect/token [2025-10-22 23:58:36.587][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-22 23:58:37.092][request][INFO] GET /notifications/hub?access_token=<redacted> [2025-10-22 23:58:37.092][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 172.17.0.1 [2025-10-22 23:58:37.092][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2025-10-23 00:07:01.375][vaultwarden::api::notifications][INFO] Closing WS connection from 172.17.0.1 [2025-10-23 00:07:01.885][request][INFO] GET /api/config [2025-10-23 00:07:01.885][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 00:07:01.886][request][INFO] POST /identity/connect/token [2025-10-23 00:07:09.380][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-23 00:07:09.532][request][INFO] GET /api/sync?excludeDomains=true [2025-10-23 00:07:09.577][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-10-23 00:22:31.939][request][INFO] POST /identity/connect/token [2025-10-23 00:22:39.173][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-23 00:22:39.299][request][INFO] GET /api/sync?excludeDomains=true [2025-10-23 00:22:39.341][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-10-23 00:33:07.870][request][INFO] GET /api/config [2025-10-23 00:33:07.870][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 00:38:38.169][request][INFO] GET /api/config [2025-10-23 00:38:38.169][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 00:46:34.358][request][INFO] GET /api/config [2025-10-23 00:46:34.358][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 03:34:24.331][request][INFO] GET /api/config [2025-10-23 03:34:24.331][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 03:55:04.179][request][INFO] GET /api/config [2025-10-23 03:55:04.179][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 06:52:40.602][request][INFO] POST /identity/connect/token [2025-10-23 06:52:48.281][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-23 08:01:05.337][request][INFO] POST /identity/connect/token [2025-10-23 08:01:10.431][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:01:10.431][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:01:10.431][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 08:33:02.418][request][INFO] POST /identity/connect/token [2025-10-23 08:33:07.584][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:33:07.584][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:33:07.584][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 08:49:57.286][request][INFO] POST /identity/connect/token [2025-10-23 08:50:02.333][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:50:02.333][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:50:02.333][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 09:02:37.420][request][INFO] GET /api/config [2025-10-23 09:02:37.420][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 09:27:32.427][request][INFO] POST /identity/connect/token [2025-10-23 09:27:37.337][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 09:27:37.337][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 09:27:37.337][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 10:02:05.245][request][INFO] POST /identity/connect/token [2025-10-23 10:02:10.366][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 10:02:10.367][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 10:02:10.367][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 10:54:59.161][request][INFO] POST /identity/connect/token [2025-10-23 10:55:04.236][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 10:55:04.237][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 10:55:04.237][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 11:12:22.196][request][INFO] POST /identity/connect/token [2025-10-23 11:12:27.178][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 11:12:27.178][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 11:12:27.178][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 11:56:05.175][request][INFO] POST /identity/connect/token [2025-10-23 11:56:10.265][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 11:56:10.265][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 11:56:10.265][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 12:26:05.232][request][INFO] POST /identity/connect/token [2025-10-23 12:26:10.912][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 12:26:10.912][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 12:26:10.912][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 12:26:12.046][request][INFO] GET /api/config [2025-10-23 12:26:12.047][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 12:26:12.052][request][INFO] GET /api/devices/knowndevice [2025-10-23 12:26:12.053][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK ```

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@Timshel commented on GitHub (Oct 27, 2025):

Hey,
So it does not look like the use case I was speaking of, since it used to manifest with two almost simultaneous POST /identity/connect/token with only one of the two working.

With a 90days refresh token validity I'm not sure what could be the source of the error :(.
Would you have a way to track in Authentik when the token was revoked ?

@Timshel commented on GitHub (Oct 27, 2025): Hey, So it does not look like the use case I was speaking of, since it used to manifest with two almost simultaneous `POST /identity/connect/token` with only one of the two working. With a 90days refresh token validity I'm not sure what could be the source of the error :(. Would you have a way to track in Authentik when the token was revoked ?

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@controlaltnerd commented on GitHub (Nov 11, 2025):

I seem to be having a similar issue. In my case, I'm getting the error [ERROR] Unable to refresh login credentials: Access token is close to expiration but we have no refresh token. I have access token expiration set to 10 minutes, and after I've logged in to Vaultwarden on either the web or through the Chrome extension, about 10 minutes later both will sign me out and the error will be logged.

Refresh token lifespan is set to 30 days, and I am able to verify that the refresh token is actually being passed from Authentik to the web frontend so my best guess at the moment is that somehow the access token is being used in place of the refresh token, which would suggest Vaultwarden is attempting to authenticate again rather than refresh. I could eliminate session handling and restrict it to authentication only, but I'm unsure of what the result would be. Would the session just persist for the duration of the Authentik login session?

@controlaltnerd commented on GitHub (Nov 11, 2025): I seem to be having a similar issue. In my case, I'm getting the error `[ERROR] Unable to refresh login credentials: Access token is close to expiration but we have no refresh token`. I have access token expiration set to 10 minutes, and after I've logged in to Vaultwarden on either the web or through the Chrome extension, about 10 minutes later both will sign me out and the error will be logged. Refresh token lifespan is set to 30 days, and I am able to verify that the refresh token is actually being passed from Authentik to the web frontend so my best guess at the moment is that somehow the access token is being used in place of the refresh token, which would suggest Vaultwarden is attempting to authenticate again rather than refresh. I could eliminate session handling and restrict it to authentication only, but I'm unsure of what the result would be. Would the session just persist for the duration of the Authentik login session?

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@0xmillennium commented on GitHub (Jan 20, 2026):

@Timshel You mentioned earlier that this invalid_grant loop might be caused by two refresh_token calls happening at the same time. I am experiencing a specific issue with OIDC (Authelia) where the session is killed exactly at the 1-hour mark (access token expiration) due to a race condition in the refresh flow.

Environment:

Server: Vaultwarden (Docker)

OIDC Provider: Authelia

Client: Bitwarden Browser Extension (Desktop/Mobile apps work fine)

Auth Method: client_secret_basic (since Vaultwarden does not seem to support client_secret_post yet)

The Issue:

I am encountering a session termination issue with the Bitwarden Browser Extension when using OIDC (Authelia). The logs confirm that the client is firing two identical refresh requests at the exact same millisecond.

1. Request A is processed successfully (Token A \rightarrow Token B).
2. Request B (processed milliseconds later) tries to use Token A again.
3. Authelia detects "Token Reuse," assumes theft, and revokes the entire token family.
4. The session is immediately killed (invalid_grant).

Logs:

Notice the timestamp 04:25:20.652. Two POST requests are initiated simultaneously.

vaultwarden  | [2026-01-21 04:25:10.972][request][INFO] GET /api/config
vaultwarden  | [2026-01-21 04:25:10.972][response][INFO] (config) GET /api/config => 200 OK
# --- THE RACE CONDITION STARTS HERE ---
vaultwarden  | [2026-01-21 04:25:20.652][request][INFO] POST /identity/connect/token  <-- Request #1
vaultwarden  | [2026-01-21 04:25:20.652][request][INFO] POST /identity/connect/token  <-- Request #2 (DUPLICATE at exact same ms)
# --------------------------------------
vaultwarden  | [2026-01-21 04:25:21.335][response][INFO] (login) POST /identity/connect/token => 200 OK  <-- Success (Token Rotated)
vaultwarden  | [2026-01-21 04:25:21.397][request][INFO] GET /api/config
vaultwarden  | [2026-01-21 04:25:21.397][response][INFO] (config) GET /api/config => 200 OK
# --- THE FAILURE ---
vaultwarden  | [2026-01-21 04:25:21.633][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant... or refresh token is invalid..."), error_uri: None })
vaultwarden  | [2026-01-21 04:25:21.633][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed
vaultwarden  | [2026-01-21 04:25:21.633][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized  <-- Session Killed due to reuse
# -------------------
vaultwarden  | [2026-01-21 04:25:21.744][request][INFO] GET /api/devices/knowndevice
vaultwarden  | [2026-01-21 04:25:21.746][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden  | [2026-01-21 04:25:22.055][request][INFO] GET /api/config
vaultwarden  | [2026-01-21 04:25:22.055][response][INFO] (config) GET /api/config => 200 OK
vaultwarden  | [2026-01-21 04:25:22.056][request][INFO] POST /identity/connect/token
vaultwarden  | [2026-01-21 04:25:22.453][response][INFO] (login) POST /identity/connect/token => 200 OK
vaultwarden  | [2026-01-21 04:25:22.595][request][INFO] GET /api/sync?excludeDomains=true
vaultwarden  | [2026-01-21 04:25:22.632][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
vaultwarden  | [2026-01-21 04:25:27.317][request][INFO] GET /api/devices/knowndevice
vaultwarden  | [2026-01-21 04:25:27.319][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK

Consistency & Impact: This issue happens every single time the token expiration is reached (100% reproducible). It is not an intermittent glitch.

• The browser extension suffers a hard logout exactly when the access token expires (default 1 hour).
• The silent refresh fails due to the 401 error, and the user is forced to manually re-authenticate via SSO. The extension acts as if the session is completely invalid.

Important Note: I do not want to use the workaround of setting extremely long Access Token lifespans (e.g. 30 days) to simply bypass the refresh loop. I aim to maintain secure, short-lived tokens with proper SSO management. Therefore, fixing this race condition/debounce issue is critical for my use case.

Is there a workaround to lock the refresh process or debounce these calls within Vaultwarden?

@0xmillennium commented on GitHub (Jan 20, 2026): @Timshel You mentioned earlier that this `invalid_grant` loop might be caused by two refresh_token calls happening at the same time. I am experiencing a specific issue with OIDC (Authelia) where the session is killed exactly at the 1-hour mark (access token expiration) due to a race condition in the refresh flow. ### Environment: **Server:** Vaultwarden (Docker) **OIDC Provider:** Authelia **Client:** Bitwarden Browser Extension (Desktop/Mobile apps work fine) **Auth Method:** `client_secret_basic` (since Vaultwarden does not seem to support `client_secret_post` yet) ### The Issue: I am encountering a session termination issue with the Bitwarden Browser Extension when using OIDC (Authelia). The logs confirm that the client is firing two identical refresh requests at the exact same millisecond. 1. **Request A** is processed successfully (Token A $\rightarrow$ Token B). 2. **Request B** (processed milliseconds later) tries to use Token A again. 3. Authelia detects "Token Reuse," assumes theft, and revokes the entire token family. 4. The session is immediately killed (`invalid_grant`). ### Logs: Notice the timestamp 04:25:20.652. Two POST requests are initiated simultaneously. ``` vaultwarden | [2026-01-21 04:25:10.972][request][INFO] GET /api/config vaultwarden | [2026-01-21 04:25:10.972][response][INFO] (config) GET /api/config => 200 OK # --- THE RACE CONDITION STARTS HERE --- vaultwarden | [2026-01-21 04:25:20.652][request][INFO] POST /identity/connect/token <-- Request #1 vaultwarden | [2026-01-21 04:25:20.652][request][INFO] POST /identity/connect/token <-- Request #2 (DUPLICATE at exact same ms) # -------------------------------------- vaultwarden | [2026-01-21 04:25:21.335][response][INFO] (login) POST /identity/connect/token => 200 OK <-- Success (Token Rotated) vaultwarden | [2026-01-21 04:25:21.397][request][INFO] GET /api/config vaultwarden | [2026-01-21 04:25:21.397][response][INFO] (config) GET /api/config => 200 OK # --- THE FAILURE --- vaultwarden | [2026-01-21 04:25:21.633][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant... or refresh token is invalid..."), error_uri: None }) vaultwarden | [2026-01-21 04:25:21.633][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed vaultwarden | [2026-01-21 04:25:21.633][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized <-- Session Killed due to reuse # ------------------- vaultwarden | [2026-01-21 04:25:21.744][request][INFO] GET /api/devices/knowndevice vaultwarden | [2026-01-21 04:25:21.746][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK vaultwarden | [2026-01-21 04:25:22.055][request][INFO] GET /api/config vaultwarden | [2026-01-21 04:25:22.055][response][INFO] (config) GET /api/config => 200 OK vaultwarden | [2026-01-21 04:25:22.056][request][INFO] POST /identity/connect/token vaultwarden | [2026-01-21 04:25:22.453][response][INFO] (login) POST /identity/connect/token => 200 OK vaultwarden | [2026-01-21 04:25:22.595][request][INFO] GET /api/sync?excludeDomains=true vaultwarden | [2026-01-21 04:25:22.632][response][INFO] (sync) GET /api/sync?<data..> => 200 OK vaultwarden | [2026-01-21 04:25:27.317][request][INFO] GET /api/devices/knowndevice vaultwarden | [2026-01-21 04:25:27.319][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK ``` **Consistency & Impact:** This issue happens every single time the token expiration is reached (100% reproducible). It is not an intermittent glitch. - The browser extension suffers a hard logout exactly when the access token expires (default 1 hour). - The silent refresh fails due to the 401 error, and the user is forced to manually re-authenticate via SSO. The extension acts as if the session is completely invalid. **Important Note:** I do not want to use the workaround of setting extremely long Access Token lifespans (e.g. 30 days) to simply bypass the refresh loop. I aim to maintain secure, short-lived tokens with proper SSO management. Therefore, fixing this race condition/debounce issue is critical for my use case. Is there a workaround to lock the refresh process or debounce these calls within Vaultwarden?

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@Timshel commented on GitHub (Jan 28, 2026):

@0xmillennium Hey not sure why it's happening only with the browser extension. It should share the same code as the desktop/web app :(.
I contributed a fix (https://github.com/bitwarden/clients/pull/10799) last year which should prevent the issue :(.
I'll try to have a look to see if I can find something.

@Timshel commented on GitHub (Jan 28, 2026): @0xmillennium Hey not sure why it's happening only with the browser extension. It should share the same code as the desktop/web app :(. I contributed a fix (https://github.com/bitwarden/clients/pull/10799) last year which should prevent the issue :(. I'll try to have a look to see if I can find something.

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@faustlod commented on GitHub (Feb 9, 2026):

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions[x] I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3-a2ad1dc7
• Web-vault version: v2025.8.0
• OS/Arch: linux/aarch64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: false
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details
Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED

Config:

{
"_duo_akey": null,
"_enable_duo": true,
"_enable_email_2fa": false,
"_enable_smtp": true,
"_enable_yubico": true,
"_icon_service_csp": "",
"_icon_service_url": "",
"_ip_header_enabled": true,
"_max_note_size": 10000,
"_smtp_img_src": ":",
"admin_ratelimit_max_burst": 3,
"admin_ratelimit_seconds": 300,
"admin_session_lifetime": 20,
"admin_token": "",
"allowed_connect_src": "",
"allowed_iframe_ancestors": "",
"attachments_folder": "data/attachments",
"auth_request_purge_schedule": "30 * * * * ",
"authenticator_disable_time_drift": false,
"data_folder": "data",
"database_conn_init": "",
"database_idle_timeout": 600,
"database_max_conns": 10,
"database_min_conns": 2,
"database_timeout": 30,
"database_url": "",
"db_connection_retries": 15,
"disable_2fa_remember": false,
"disable_admin_token": false,
"disable_icon_download": false,
"domain": "://",
"domain_origin": "://",
"domain_path": "",
"domain_set": true,
"duo_context_purge_schedule": "30 * * * * ",
"duo_host": null,
"duo_ikey": null,
"duo_skey": null,
"duo_use_iframe": false,
"email_2fa_auto_fallback": false,
"email_2fa_enforce_on_verified_invite": false,
"email_attempts_limit": 3,
"email_change_allowed": true,
"email_expiration_time": 600,
"email_token_size": 6,
"emergency_access_allowed": true,
"emergency_notification_reminder_schedule": "0 3 * * * ",
"emergency_request_timeout_schedule": "0 7 * * * ",
"enable_db_wal": true,
"enable_websocket": true,
"enforce_single_org_with_reset_pw_policy": false,
"event_cleanup_schedule": "0 10 0 * * ",
"events_days_retain": null,
"experimental_client_feature_flags": "",
"extended_logging": true,
"helo_name": null,
"hibp_api_key": null,
"http_request_block_non_global_ips": true,
"http_request_block_regex": null,
"icon_blacklist_non_global_ips": true,
"icon_blacklist_regex": null,
"icon_cache_folder": "data/icon_cache",
"icon_cache_negttl": 259200,
"icon_cache_ttl": 2592000,
"icon_download_timeout": 10,
"icon_redirect_code": 302,
"icon_service": "internal",
"incomplete_2fa_schedule": "30 * * * * ",
"incomplete_2fa_time_limit": 3,
"increase_note_size_limit": false,
"invitation_expiration_hours": 120,
"invitation_org_name": "Vaultwarden",
"invitations_allowed": true,
"ip_header": "X-Forwarded-For",
"job_poll_interval_ms": 30000,
"log_file": null,
"log_level": "info",
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"login_ratelimit_max_burst": 10,
"login_ratelimit_seconds": 60,
"org_attachment_limit": null,
"org_creation_users": "",
"org_events_enabled": false,
"org_groups_enabled": false,
"password_hints_allowed": true,
"password_iterations": 600000,
"purge_incomplete_sso_nonce": "0 20 0 * * ",
"push_enabled": false,
"push_identity_uri": "https://identity.bitwarden.com",
"push_installation_id": "",
"push_installation_key": "",
"push_relay_uri": "https://push.bitwarden.com",
"reload_templates": false,
"require_device_email": false,
"rsa_key_filename": "data/rsa_key",
"send_purge_schedule": "0 5 * * * ",
"sendmail_command": null,
"sends_allowed": true,
"sends_folder": "data/sends",
"show_password_hint": false,
"signups_allowed": false,
"signups_domains_whitelist": "",
"signups_verify": false,
"signups_verify_resend_limit": 6,
"signups_verify_resend_time": 3600,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"smtp_auth_mechanism": null,
"smtp_debug": false,
"smtp_embed_images": true,
"smtp_explicit_tls": null,
"smtp_from": "******************",
"smtp_from_name": "Vaultwarden",
"smtp_host": "",
"smtp_password": "",
"smtp_port": 587,
"smtp_security": "starttls",
"smtp_ssl": null,
"smtp_timeout": 15,
"smtp_username": "",
"sso_allow_unknown_email_verification": false,
"sso_audience_trusted": null,
"sso_auth_only_not_session": false,
"sso_authority": "://",
"sso_authorize_extra_params": "",
"sso_callback_path": "://",
"sso_client_cache_expiration": 0,
"sso_client_id": "************",
"sso_client_secret": "",
"sso_debug_tokens": false,
"sso_enabled": true,
"sso_master_password_policy": null,
"sso_only": true,
"sso_pkce": true,
"sso_scopes": "email profile offline_access",
"sso_signups_match_email": true,
"templates_folder": "data/templates",
"tmp_folder": "data/tmp",
"trash_auto_delete_days": null,
"trash_purge_schedule": "0 5 0 * * *",
"use_sendmail": false,
"use_syslog": false,
"user_attachment_limit": null,
"user_send_limit": null,
"web_vault_enabled": true,
"web_vault_folder": "web-vault/",
"yubico_client_id": null,
"yubico_secret_key": null,
"yubico_server": null
}

Vaultwarden Build Version

1.34.3-a2ad1dc7

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

traefik v3.1.2

Host/Server Operating System

Linux

Operating System Version

Ubuntu 25.04

Clients

Desktop, Browser Extension, Android

Client Version

Desktop - 2025.7.0, Firefox - 2025.8.2, Android - 2025.8.1

Steps To Reproduce

1. Enable SSO with Authentik as detailed in the documentation.

• Access code validity: minutes=1
• Access Token validity: minutes=15
• Refresh Token validity: days=90

2. Use Vaultwarden as usual

Expected Result

Vaultwarden utilizes the refresh token provided by Authentik to keep session alive, exchanging after Access Token validity period for a new access token. User prompted for login after Refresh Token validity period.

Actual Result

User is prompted for SSO login anywhere from hours to a week after initial login.

Logs

Vaultwarden:
[2025-09-14 14:01:39.786][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-09-14 14:01:39.786][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })


Authentik:
{
    "token": {
        "pk": 89,
        "app": "authentik_providers_oauth2",
        "name": "Refresh Token for 2 for user 6",
        "model_name": "refreshtoken"
    },
    "message": "Revoked refresh token was used",
    "provider": {
        "pk": 2,
        "app": "authentik_providers_oauth2",
        "name": "Provider for Vaultwarden",
        "model_name": "oauth2provider"
    },
    "http_request": {
        "args": {},
        "path": "/application/o/token/",
        "method": "POST",
        "request_id": "<redacted>",
        "user_agent": ""
    }
}

Screenshots or Videos

No response

Additional Context

Using Authentik v2025.8.1, though appeared on earlier releases.

@faustlod commented on GitHub (Feb 9, 2026): > ### Prerequisites > * [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=)[x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) > > ### Vaultwarden Support String > ### Your environment (Generated via diagnostics page) > * Vaultwarden version: v1.34.3-a2ad1dc7 > * Web-vault version: v2025.8.0 > * OS/Arch: linux/aarch64 > * Running within a container: true (Base: Debian) > * Database type: SQLite > * Database version: 3.50.2 > * Uses config.json: true > * Uses a reverse proxy: true > * IP Header check: true (X-Forwarded-For) > * Internet access: true > * Internet access via a proxy: false > * DNS Check: true > * Browser/Server Time Check: true > * Server/NTP Time Check: true > * Domain Configuration Check: true > * HTTPS Check: true > * Websocket Check: false > * HTTP Response Checks: true > > ### Config & Details (Generated via diagnostics page) > Show Config & Details > **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED > > **Config:** > > { > "_duo_akey": null, > "_enable_duo": true, > "_enable_email_2fa": false, > "_enable_smtp": true, > "_enable_yubico": true, > "_icon_service_csp": "", > "_icon_service_url": "", > "_ip_header_enabled": true, > "_max_note_size": 10000, > "_smtp_img_src": "***:", > "admin_ratelimit_max_burst": 3, > "admin_ratelimit_seconds": 300, > "admin_session_lifetime": 20, > "admin_token": "***", > "allowed_connect_src": "", > "allowed_iframe_ancestors": "", > "attachments_folder": "data/attachments", > "auth_request_purge_schedule": "30 * * * * *", > "authenticator_disable_time_drift": false, > "data_folder": "data", > "database_conn_init": "", > "database_idle_timeout": 600, > "database_max_conns": 10, > "database_min_conns": 2, > "database_timeout": 30, > "database_url": "***************", > "db_connection_retries": 15, > "disable_2fa_remember": false, > "disable_admin_token": false, > "disable_icon_download": false, > "domain": "*****://***********************", > "domain_origin": "*****://***********************", > "domain_path": "", > "domain_set": true, > "duo_context_purge_schedule": "30 * * * * *", > "duo_host": null, > "duo_ikey": null, > "duo_skey": null, > "duo_use_iframe": false, > "email_2fa_auto_fallback": false, > "email_2fa_enforce_on_verified_invite": false, > "email_attempts_limit": 3, > "email_change_allowed": true, > "email_expiration_time": 600, > "email_token_size": 6, > "emergency_access_allowed": true, > "emergency_notification_reminder_schedule": "0 3 * * * *", > "emergency_request_timeout_schedule": "0 7 * * * *", > "enable_db_wal": true, > "enable_websocket": true, > "enforce_single_org_with_reset_pw_policy": false, > "event_cleanup_schedule": "0 10 0 * * *", > "events_days_retain": null, > "experimental_client_feature_flags": "", > "extended_logging": true, > "helo_name": null, > "hibp_api_key": null, > "http_request_block_non_global_ips": true, > "http_request_block_regex": null, > "icon_blacklist_non_global_ips": true, > "icon_blacklist_regex": null, > "icon_cache_folder": "data/icon_cache", > "icon_cache_negttl": 259200, > "icon_cache_ttl": 2592000, > "icon_download_timeout": 10, > "icon_redirect_code": 302, > "icon_service": "internal", > "incomplete_2fa_schedule": "30 * * * * *", > "incomplete_2fa_time_limit": 3, > "increase_note_size_limit": false, > "invitation_expiration_hours": 120, > "invitation_org_name": "Vaultwarden", > "invitations_allowed": true, > "ip_header": "X-Forwarded-For", > "job_poll_interval_ms": 30000, > "log_file": null, > "log_level": "info", > "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", > "login_ratelimit_max_burst": 10, > "login_ratelimit_seconds": 60, > "org_attachment_limit": null, > "org_creation_users": "", > "org_events_enabled": false, > "org_groups_enabled": false, > "password_hints_allowed": true, > "password_iterations": 600000, > "purge_incomplete_sso_nonce": "0 20 0 * * *", > "push_enabled": false, > "push_identity_uri": "https://identity.bitwarden.com", > "push_installation_id": "***", > "push_installation_key": "***", > "push_relay_uri": "https://push.bitwarden.com", > "reload_templates": false, > "require_device_email": false, > "rsa_key_filename": "data/rsa_key", > "send_purge_schedule": "0 5 * * * *", > "sendmail_command": null, > "sends_allowed": true, > "sends_folder": "data/sends", > "show_password_hint": false, > "signups_allowed": false, > "signups_domains_whitelist": "", > "signups_verify": false, > "signups_verify_resend_limit": 6, > "signups_verify_resend_time": 3600, > "smtp_accept_invalid_certs": false, > "smtp_accept_invalid_hostnames": false, > "smtp_auth_mechanism": null, > "smtp_debug": false, > "smtp_embed_images": true, > "smtp_explicit_tls": null, > "smtp_from": "*******************", > "smtp_from_name": "Vaultwarden", > "smtp_host": "********************", > "smtp_password": "***", > "smtp_port": 587, > "smtp_security": "starttls", > "smtp_ssl": null, > "smtp_timeout": 15, > "smtp_username": "************************", > "sso_allow_unknown_email_verification": false, > "sso_audience_trusted": null, > "sso_auth_only_not_session": false, > "sso_authority": "*****://************************************************", > "sso_authorize_extra_params": "", > "sso_callback_path": "*****://****************************************************", > "sso_client_cache_expiration": 0, > "sso_client_id": "****************************************", > "sso_client_secret": "***", > "sso_debug_tokens": false, > "sso_enabled": true, > "sso_master_password_policy": null, > "sso_only": true, > "sso_pkce": true, > "sso_scopes": "email profile offline_access", > "sso_signups_match_email": true, > "templates_folder": "data/templates", > "tmp_folder": "data/tmp", > "trash_auto_delete_days": null, > "trash_purge_schedule": "0 5 0 * * *", > "use_sendmail": false, > "use_syslog": false, > "user_attachment_limit": null, > "user_send_limit": null, > "web_vault_enabled": true, > "web_vault_folder": "web-vault/", > "yubico_client_id": null, > "yubico_secret_key": null, > "yubico_server": null > } > ### Vaultwarden Build Version > 1.34.3-a2ad1dc7 > > ### Deployment method > Official Container Image > > ### Custom deployment method > _No response_ > > ### Reverse Proxy > traefik v3.1.2 > > ### Host/Server Operating System > Linux > > ### Operating System Version > Ubuntu 25.04 > > ### Clients > Desktop, Browser Extension, Android > > ### Client Version > Desktop - 2025.7.0, Firefox - 2025.8.2, Android - 2025.8.1 > > ### Steps To Reproduce > 1. Enable SSO with Authentik as detailed in the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#authentik). > > * Access code validity: `minutes=1` > * Access Token validity: `minutes=15` > * Refresh Token validity: `days=90` > > 2. Use Vaultwarden as usual > > ### Expected Result > Vaultwarden utilizes the refresh token provided by Authentik to keep session alive, exchanging after Access Token validity period for a new access token. User prompted for login after Refresh Token validity period. > > ### Actual Result > User is prompted for SSO login anywhere from hours to a week after initial login. > > ### Logs > ``` > Vaultwarden: > [2025-09-14 14:01:39.786][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) > [2025-09-14 14:01:39.786][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) > > > Authentik: > { > "token": { > "pk": 89, > "app": "authentik_providers_oauth2", > "name": "Refresh Token for 2 for user 6", > "model_name": "refreshtoken" > }, > "message": "Revoked refresh token was used", > "provider": { > "pk": 2, > "app": "authentik_providers_oauth2", > "name": "Provider for Vaultwarden", > "model_name": "oauth2provider" > }, > "http_request": { > "args": {}, > "path": "/application/o/token/", > "method": "POST", > "request_id": "<redacted>", > "user_agent": "" > } > } > ``` > > ### Screenshots or Videos > _No response_ > > ### Additional Context > Using Authentik v2025.8.1, though appeared on earlier releases.

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@faustlod commented on GitHub (Feb 9, 2026):

Could you show me your Docker Compose configuration settings for SSO, your Authentik configuration, and your Traefik middleware configuration? Unfortunately, SSO is not working for me at all:

Failed to discover OpenID provider: Request failed","validationErrors":{"":["Failed to discover OpenID provider: Request failed"]}," errorModel":{"message":"Failed to discover OpenID provider: Request failed","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"}

Thank you!

@faustlod commented on GitHub (Feb 9, 2026): Could you show me your Docker Compose configuration settings for SSO, your Authentik configuration, and your Traefik middleware configuration? Unfortunately, SSO is not working for me at all: Failed to discover OpenID provider: Request failed","validationErrors":{"":["Failed to discover OpenID provider: Request failed"]}," errorModel":{"message":"Failed to discover OpenID provider: Request failed","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"} Thank you!

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@gelbphoenix commented on GitHub (Feb 10, 2026):

Could you show me your Docker Compose configuration settings for SSO, your Authentik configuration, and your Traefik middleware configuration? Unfortunately, SSO is not working for me at all:

Failed to discover OpenID provider: Request failed","validationErrors":{"":["Failed to discover OpenID provider: Request failed"]}," errorModel":{"message":"Failed to discover OpenID provider: Request failed","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"}

Thank you!

Have you set the SSO_AUTHORITY to your specific authority URL? If the .well-known/openid-configuration page is under https://application.company/oidc/.well-known/openid-configuration then must SSO_AUTHORITY be set to https://application.company/oidc.

@gelbphoenix commented on GitHub (Feb 10, 2026): > Could you show me your Docker Compose configuration settings for SSO, your Authentik configuration, and your Traefik middleware configuration? Unfortunately, SSO is not working for me at all: > > Failed to discover OpenID provider: Request failed","validationErrors":{"":["Failed to discover OpenID provider: Request failed"]}," errorModel":{"message":"Failed to discover OpenID provider: Request failed","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"} > > Thank you! Have you set the `SSO_AUTHORITY` to your specific authority URL? If the `.well-known/openid-configuration` page is under `https://application.company/oidc/.well-known/openid-configuration` then must `SSO_AUTHORITY` be set to `https://application.company/oidc`.

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@faustlod commented on GitHub (Feb 16, 2026):

Could you show me your Docker Compose configuration settings for SSO, your Authentik configuration, and your Traefik middleware configuration? Unfortunately, SSO is not working for me at all:
Failed to discover OpenID provider: Request failed","validationErrors":{"":["Failed to discover OpenID provider: Request failed"]}," errorModel":{"message":"Failed to discover OpenID provider: Request failed","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"}
Thank you!

Have you set the SSO_AUTHORITY to your specific authority URL? If the .well-known/openid-configuration page is under https://application.company/oidc/.well-known/openid-configuration then must SSO_AUTHORITY be set to https://application.company/oidc.

Thank you for your comment!

Unfortunately, it still doesn't work. SSO_AUTHORITY was set, I use Authentik, so I set it up as follows:

OpenID Configuration in authentik: https://auth.mydomain.tld/application/o/vaultwarden/.well-known/openid-configuration

SSO_AUTHORITY: https://auth.mydomain.tld/application/o/vaultwarden/ (tried with and without the / at the end)

Unfortunately, the error still persists.

@faustlod commented on GitHub (Feb 16, 2026): > > Could you show me your Docker Compose configuration settings for SSO, your Authentik configuration, and your Traefik middleware configuration? Unfortunately, SSO is not working for me at all: > > Failed to discover OpenID provider: Request failed","validationErrors":{"":["Failed to discover OpenID provider: Request failed"]}," errorModel":{"message":"Failed to discover OpenID provider: Request failed","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"} > > Thank you! > > Have you set the `SSO_AUTHORITY` to your specific authority URL? If the `.well-known/openid-configuration` page is under `https://application.company/oidc/.well-known/openid-configuration` then must `SSO_AUTHORITY` be set to `https://application.company/oidc`. Thank you for your comment! Unfortunately, it still doesn't work. SSO_AUTHORITY was set, I use Authentik, so I set it up as follows: OpenID Configuration in authentik: https://auth.mydomain.tld/application/o/vaultwarden/.well-known/openid-configuration SSO_AUTHORITY: https://auth.mydomain.tld/application/o/vaultwarden/ (tried with and without the / at the end) Unfortunately, the error still persists.

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@ChristianKilmer commented on GitHub (Feb 18, 2026):

I just wanted to chime in to mention that I am also experiencing this exact same issue, but with Authelia. At least this confirms that the issue is in Vaultwarden and not related to an OIDC provider.

Here's a log dump, please let me know if you'd like to see this with debug-level logs or something and I'd be happy to provide.

[2026-02-18 22:08:26.139][request][INFO] POST /identity/connect/token
[2026-02-18 22:08:26.397][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None })
[2026-02-18 22:08:26.397][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None })
[2026-02-18 22:08:26.397][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2026-02-18 22:08:27.383][request][INFO] POST /identity/connect/token
[2026-02-18 22:08:27.394][vaultwarden::auth][ERROR] SSO is now required, Login again
[2026-02-18 22:08:27.394][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: SSO is now required, Login again
[2026-02-18 22:08:27.394][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized

@ChristianKilmer commented on GitHub (Feb 18, 2026): I just wanted to chime in to mention that I am also experiencing this exact same issue, but with Authelia. At least this confirms that the issue is in Vaultwarden and not related to an OIDC provider. Here's a log dump, please let me know if you'd like to see this with debug-level logs or something and I'd be happy to provide. ``` [2026-02-18 22:08:26.139][request][INFO] POST /identity/connect/token [2026-02-18 22:08:26.397][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None }) [2026-02-18 22:08:26.397][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None }) [2026-02-18 22:08:26.397][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2026-02-18 22:08:27.383][request][INFO] POST /identity/connect/token [2026-02-18 22:08:27.394][vaultwarden::auth][ERROR] SSO is now required, Login again [2026-02-18 22:08:27.394][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: SSO is now required, Login again [2026-02-18 22:08:27.394][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized ```

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@rharish101 commented on GitHub (Feb 18, 2026):

I'm facing the same issue as @0xmillennium, also with Authelia. My logs also show two identical calls for the refresh token made at the same time, which happen both with the desktop browser extension in Firefox and the Bitwarden app on Android.

@rharish101 commented on GitHub (Feb 18, 2026): I'm facing the same issue as @0xmillennium, also with Authelia. My logs also show two identical calls for the refresh token made at the same time, which happen both with the desktop browser extension in Firefox and the Bitwarden app on Android.

deekerman commented 2026-02-20 08:17:31 -05:00

Author

Owner

Copy link

@rharish101 commented on GitHub (Feb 19, 2026):

I added SSO_AUTH_ONLY_NOT_SESSION=true, and it seems to work so far (just been 1 day since the addition of this env var) on my Android device with Bitwarden from Google Play. However, the Bitwarden extension on Firefox desktop (Linux) ALWAYS stops working after I close and reopen the browser.

EDIT: Here's my Vaultwarden config:

DATA_FOLDER=/var/lib/vaultwarden
DOMAIN=https://vault.example.com
PUSH_ENABLED=true
PUSH_IDENTITY_URI=https://identity.bitwarden.eu
PUSH_RELAY_URI=https://api.bitwarden.eu
ROCKET_ADDRESS=0.0.0.0
ROCKET_PORT=6062
SMTP_FROM=vault@example.com
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USERNAME=example@gmail.com
SSO_AUTHORITY=https://auth.example.com
SSO_AUTH_ONLY_NOT_SESSION=true
SSO_CLIENT_ID=<client-id>
SSO_ENABLED=true
SSO_ONLY=true
SSO_SCOPES=email profile offline_access
WEB_VAULT_FOLDER=/nix/store/<hash>-vaultwarden-webvault-2026.1.0+0/share/vaultwarden/vault
DATABASE_URL=postgres://vaultwarden:<password>@<ip-address>/vaultwarden
SMTP_PASSWORD=<password>
SSO_CLIENT_SECRET=<client-secret>
PUSH_INSTALLATION_ID=<push-id>
PUSH_INSTALLATION_KEY=<push-key>

And here's my Authelia config for Vaultwarden (in Nix format):

{
  client_id = "<client-id>";
  client_name = "Vaultwarden";
  client_secret = "<client-secret-hash>";
  redirect_uris = [
    "https://vault.example.com/identity/connect/oidc-signin"
  ];
  scopes = [
    "openid"
    "email"
    "profile"
    "offline_access"
  ];
  response_types = [ "code" ];
  grant_types = [
    "refresh_token"
    "authorization_code"
  ];
  pre_configured_consent_duration = "1 month";
}

@rharish101 commented on GitHub (Feb 19, 2026): I added `SSO_AUTH_ONLY_NOT_SESSION=true`, and it seems to work so far (just been 1 day since the addition of this env var) on my Android device with Bitwarden from Google Play. However, the Bitwarden extension on Firefox desktop (Linux) **ALWAYS** stops working after I close and reopen the browser. **EDIT:** Here's my Vaultwarden config: ```bash DATA_FOLDER=/var/lib/vaultwarden DOMAIN=https://vault.example.com PUSH_ENABLED=true PUSH_IDENTITY_URI=https://identity.bitwarden.eu PUSH_RELAY_URI=https://api.bitwarden.eu ROCKET_ADDRESS=0.0.0.0 ROCKET_PORT=6062 SMTP_FROM=vault@example.com SMTP_HOST=smtp.gmail.com SMTP_PORT=587 SMTP_USERNAME=example@gmail.com SSO_AUTHORITY=https://auth.example.com SSO_AUTH_ONLY_NOT_SESSION=true SSO_CLIENT_ID=<client-id> SSO_ENABLED=true SSO_ONLY=true SSO_SCOPES=email profile offline_access WEB_VAULT_FOLDER=/nix/store/<hash>-vaultwarden-webvault-2026.1.0+0/share/vaultwarden/vault DATABASE_URL=postgres://vaultwarden:<password>@<ip-address>/vaultwarden SMTP_PASSWORD=<password> SSO_CLIENT_SECRET=<client-secret> PUSH_INSTALLATION_ID=<push-id> PUSH_INSTALLATION_KEY=<push-key> ``` And here's my Authelia config for Vaultwarden (in Nix format): ```nix { client_id = "<client-id>"; client_name = "Vaultwarden"; client_secret = "<client-secret-hash>"; redirect_uris = [ "https://vault.example.com/identity/connect/oidc-signin" ]; scopes = [ "openid" "email" "profile" "offline_access" ]; response_types = [ "code" ]; grant_types = [ "refresh_token" "authorization_code" ]; pre_configured_consent_duration = "1 month"; } ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#2399

No description provided.