SSO: Authentik Refresh token not valid #6311
Description
Prerequisites
- I have searched the existing Closed AND Open Issues AND Discussions
- I have searched and read the documentation
Vaultwarden Support String
Your environment (Generated via diagnostics page)
- Vaultwarden version: v1.34.3-a2ad1dc7
- Web-vault version: v2025.8.0
- OS/Arch: linux/aarch64
- Running within a container: true (Base: Debian)
- Database type: SQLite
- Database version: 3.50.2
- Uses config.json: true
- Uses a reverse proxy: true
- IP Header check: true (X-Forwarded-For)
- Internet access: true
- Internet access via a proxy: false
- DNS Check: true
- Browser/Server Time Check: true
- Server/NTP Time Check: true
- Domain Configuration Check: true
- HTTPS Check: true
- Websocket Check: false
- HTTP Response Checks: true
Config & Details (Generated via diagnostics page)
Show Config & Details
Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED
Config:
{
"_duo_akey": null,
"_enable_duo": true,
"_enable_email_2fa": false,
"_enable_smtp": true,
"_enable_yubico": true,
"_icon_service_csp": "",
"_icon_service_url": "",
"_ip_header_enabled": true,
"_max_note_size": 10000,
"_smtp_img_src": "***:",
"admin_ratelimit_max_burst": 3,
"admin_ratelimit_seconds": 300,
"admin_session_lifetime": 20,
"admin_token": "***",
"allowed_connect_src": "",
"allowed_iframe_ancestors": "",
"attachments_folder": "data/attachments",
"auth_request_purge_schedule": "30 * * * * *",
"authenticator_disable_time_drift": false,
"data_folder": "data",
"database_conn_init": "",
"database_idle_timeout": 600,
"database_max_conns": 10,
"database_min_conns": 2,
"database_timeout": 30,
"database_url": "***************",
"db_connection_retries": 15,
"disable_2fa_remember": false,
"disable_admin_token": false,
"disable_icon_download": false,
"domain": "*****://***********************",
"domain_origin": "*****://***********************",
"domain_path": "",
"domain_set": true,
"duo_context_purge_schedule": "30 * * * * *",
"duo_host": null,
"duo_ikey": null,
"duo_skey": null,
"duo_use_iframe": false,
"email_2fa_auto_fallback": false,
"email_2fa_enforce_on_verified_invite": false,
"email_attempts_limit": 3,
"email_change_allowed": true,
"email_expiration_time": 600,
"email_token_size": 6,
"emergency_access_allowed": true,
"emergency_notification_reminder_schedule": "0 3 * * * *",
"emergency_request_timeout_schedule": "0 7 * * * *",
"enable_db_wal": true,
"enable_websocket": true,
"enforce_single_org_with_reset_pw_policy": false,
"event_cleanup_schedule": "0 10 0 * * *",
"events_days_retain": null,
"experimental_client_feature_flags": "",
"extended_logging": true,
"helo_name": null,
"hibp_api_key": null,
"http_request_block_non_global_ips": true,
"http_request_block_regex": null,
"icon_blacklist_non_global_ips": true,
"icon_blacklist_regex": null,
"icon_cache_folder": "data/icon_cache",
"icon_cache_negttl": 259200,
"icon_cache_ttl": 2592000,
"icon_download_timeout": 10,
"icon_redirect_code": 302,
"icon_service": "internal",
"incomplete_2fa_schedule": "30 * * * * *",
"incomplete_2fa_time_limit": 3,
"increase_note_size_limit": false,
"invitation_expiration_hours": 120,
"invitation_org_name": "Vaultwarden",
"invitations_allowed": true,
"ip_header": "X-Forwarded-For",
"job_poll_interval_ms": 30000,
"log_file": null,
"log_level": "info",
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"login_ratelimit_max_burst": 10,
"login_ratelimit_seconds": 60,
"org_attachment_limit": null,
"org_creation_users": "",
"org_events_enabled": false,
"org_groups_enabled": false,
"password_hints_allowed": true,
"password_iterations": 600000,
"purge_incomplete_sso_nonce": "0 20 0 * * *",
"push_enabled": false,
"push_identity_uri": "https://identity.bitwarden.com",
"push_installation_id": "***",
"push_installation_key": "***",
"push_relay_uri": "https://push.bitwarden.com",
"reload_templates": false,
"require_device_email": false,
"rsa_key_filename": "data/rsa_key",
"send_purge_schedule": "0 5 * * * *",
"sendmail_command": null,
"sends_allowed": true,
"sends_folder": "data/sends",
"show_password_hint": false,
"signups_allowed": false,
"signups_domains_whitelist": "",
"signups_verify": false,
"signups_verify_resend_limit": 6,
"signups_verify_resend_time": 3600,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"smtp_auth_mechanism": null,
"smtp_debug": false,
"smtp_embed_images": true,
"smtp_explicit_tls": null,
"smtp_from": "*******************",
"smtp_from_name": "Vaultwarden",
"smtp_host": "********************",
"smtp_password": "***",
"smtp_port": 587,
"smtp_security": "starttls",
"smtp_ssl": null,
"smtp_timeout": 15,
"smtp_username": "************************",
"sso_allow_unknown_email_verification": false,
"sso_audience_trusted": null,
"sso_auth_only_not_session": false,
"sso_authority": "*****://************************************************",
"sso_authorize_extra_params": "",
"sso_callback_path": "*****://****************************************************",
"sso_client_cache_expiration": 0,
"sso_client_id": "****************************************",
"sso_client_secret": "***",
"sso_debug_tokens": false,
"sso_enabled": true,
"sso_master_password_policy": null,
"sso_only": true,
"sso_pkce": true,
"sso_scopes": "email profile offline_access",
"sso_signups_match_email": true,
"templates_folder": "data/templates",
"tmp_folder": "data/tmp",
"trash_auto_delete_days": null,
"trash_purge_schedule": "0 5 0 * * *",
"use_sendmail": false,
"use_syslog": false,
"user_attachment_limit": null,
"user_send_limit": null,
"web_vault_enabled": true,
"web_vault_folder": "web-vault/",
"yubico_client_id": null,
"yubico_secret_key": null,
"yubico_server": null
}Vaultwarden Build Version
1.34.3-a2ad1dc7
Deployment method
Official Container Image
Custom deployment method
No response
Reverse Proxy
traefik v3.1.2
Host/Server Operating System
Linux
Operating System Version
Ubuntu 25.04
Clients
Desktop, Browser Extension, Android
Client Version
Desktop - 2025.7.0, Firefox - 2025.8.2, Android - 2025.8.1
Steps To Reproduce
- Enable SSO with Authentik as detailed in the documentation.
- Access code validity:
minutes=1 - Access Token validity:
minutes=15 - Refresh Token validity:
days=90
- Use Vaultwarden as usual
Expected Result
Vaultwarden utilizes the refresh token provided by Authentik to keep session alive, exchanging after Access Token validity period for a new access token. User prompted for login after Refresh Token validity period.
Actual Result
User is prompted for SSO login anywhere from hours to a week after initial login.
Logs
Vaultwarden:
[2025-09-14 14:01:39.786][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-09-14 14:01:39.786][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
Authentik:
{
"token": {
"pk": 89,
"app": "authentik_providers_oauth2",
"name": "Refresh Token for 2 for user 6",
"model_name": "refreshtoken"
},
"message": "Revoked refresh token was used",
"provider": {
"pk": 2,
"app": "authentik_providers_oauth2",
"name": "Provider for Vaultwarden",
"model_name": "oauth2provider"
},
"http_request": {
"args": {},
"path": "/application/o/token/",
"method": "POST",
"request_id": "<redacted>",
"user_agent": ""
}
}
Screenshots or Videos
No response
Additional Context
Using Authentik v2025.8.1, though appeared on earlier releases.