[GH-ISSUE #6311 ] SSO: Authentik Refresh token not valid #2398

Author

Owner

@Timshel commented on GitHub (Oct 21, 2025):

Hey,
Sorry missed your issue.
This usually happened when two refresh_token calls are made at the same time.
If you can still reproduce can you check if it's the case ?

@Timshel commented on GitHub (Oct 21, 2025): Hey, Sorry missed your issue. This usually happened when two `refresh_token` calls are made at the same time. If you can still reproduce can you check if it's the case ?

kerem commented

Author

Owner

@samclark2015 commented on GitHub (Oct 22, 2025):

Thanks! I enabled SSO_AUTH_ONLY_NOT_SESSION which resolved things. I'd be
happy to disable and give some info, though.

What would be useful here? Authentik logs?

On Tue, Oct 21, 2025, 11:50 AM Timshel @.***> wrote:

Timshel left a comment (dani-garcia/vaultwarden#6311)
https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3427695993

Hey,
Sorry missed your issue.
This usually happened when two refresh_token calls are made at the same
time.
If you can still reproduce can you check if it's the case ?

—
Reply to this email directly, view it on GitHub
https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3427695993,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAMQEWZBG6WCHZNEQGAJEO33YZP5BAVCNFSM6AAAAACHFO6P4GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTIMRXGY4TKOJZGM
.
You are receiving this because you authored the thread.Message ID:
@.***>

@samclark2015 commented on GitHub (Oct 22, 2025): Thanks! I enabled `SSO_AUTH_ONLY_NOT_SESSION` which resolved things. I'd be happy to disable and give some info, though. What would be useful here? Authentik logs? On Tue, Oct 21, 2025, 11:50 AM Timshel ***@***.***> wrote: > *Timshel* left a comment (dani-garcia/vaultwarden#6311) > <https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3427695993> > > Hey, > Sorry missed your issue. > This usually happened when two refresh_token calls are made at the same > time. > If you can still reproduce can you check if it's the case ? > > — > Reply to this email directly, view it on GitHub > <https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3427695993>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAMQEWZBG6WCHZNEQGAJEO33YZP5BAVCNFSM6AAAAACHFO6P4GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTIMRXGY4TKOJZGM> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >

kerem commented

Author

Owner

@Timshel commented on GitHub (Oct 22, 2025):

More Vaultwarden server log before the issue is triggered might help :)

@Timshel commented on GitHub (Oct 22, 2025): More Vaultwarden server log before the issue is triggered might help :)

kerem commented

Author

Owner

@samclark2015 commented on GitHub (Oct 22, 2025):

Just toggled that setting & will report back with logs when it happens.

@samclark2015 commented on GitHub (Oct 22, 2025): Just toggled that setting & will report back with logs when it happens.

kerem commented

Author

Owner

@samclark2015 commented on GitHub (Oct 23, 2025):

Here is a longer log. Multiple clients authenticated in this span, so not sure how helpful this is to trace duplicate calls... Happy to provide any other info that would be useful!

[2025-10-22 22:23:38.203][request][INFO] POST /identity/connect/token
[2025-10-22 22:23:45.353][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-22 22:23:45.899][request][INFO] GET /notifications/hub?access_token=<redacted>
[2025-10-22 22:23:45.899][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 172.17.0.1
[2025-10-22 22:23:45.899][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2025-10-22 22:27:36.462][request][INFO] GET /api/config
[2025-10-22 22:27:36.462][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:32:43.576][request][INFO] GET /api/config
[2025-10-22 22:32:43.576][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:34:56.980][request][INFO] GET /api/config
[2025-10-22 22:34:56.981][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:42:05.131][request][INFO] GET /api/config
[2025-10-22 22:42:05.131][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:43:08.245][request][INFO] GET /api/config
[2025-10-22 22:43:08.245][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:45:53.123][request][INFO] GET /api/config
[2025-10-22 22:45:53.123][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:48:28.794][request][INFO] GET /api/config
[2025-10-22 22:48:28.794][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 22:58:44.778][request][INFO] GET /api/config
[2025-10-22 22:58:44.778][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:04:00.410][request][INFO] GET /api/config
[2025-10-22 23:04:00.411][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:08:37.151][request][INFO] GET /api/config
[2025-10-22 23:08:37.151][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:13:37.632][request][INFO] GET /api/config
[2025-10-22 23:13:37.633][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:40:34.141][request][INFO] GET /api/config
[2025-10-22 23:40:34.141][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:51:47.423][request][INFO] GET /api/config
[2025-10-22 23:51:47.423][response][INFO] (config) GET /api/config => 200 OK
[2025-10-22 23:54:16.289][vaultwarden::api::notifications][INFO] Closing WS connection from 172.17.0.1
[2025-10-22 23:58:29.123][request][INFO] POST /identity/connect/token
[2025-10-22 23:58:36.587][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-22 23:58:37.092][request][INFO] GET /notifications/hub?access_token=<redacted>
[2025-10-22 23:58:37.092][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 172.17.0.1
[2025-10-22 23:58:37.092][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2025-10-23 00:07:01.375][vaultwarden::api::notifications][INFO] Closing WS connection from 172.17.0.1
[2025-10-23 00:07:01.885][request][INFO] GET /api/config
[2025-10-23 00:07:01.885][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 00:07:01.886][request][INFO] POST /identity/connect/token
[2025-10-23 00:07:09.380][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-23 00:07:09.532][request][INFO] GET /api/sync?excludeDomains=true
[2025-10-23 00:07:09.577][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2025-10-23 00:22:31.939][request][INFO] POST /identity/connect/token
[2025-10-23 00:22:39.173][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-23 00:22:39.299][request][INFO] GET /api/sync?excludeDomains=true
[2025-10-23 00:22:39.341][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2025-10-23 00:33:07.870][request][INFO] GET /api/config
[2025-10-23 00:33:07.870][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 00:38:38.169][request][INFO] GET /api/config
[2025-10-23 00:38:38.169][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 00:46:34.358][request][INFO] GET /api/config
[2025-10-23 00:46:34.358][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 03:34:24.331][request][INFO] GET /api/config
[2025-10-23 03:34:24.331][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 03:55:04.179][request][INFO] GET /api/config
[2025-10-23 03:55:04.179][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 06:52:40.602][request][INFO] POST /identity/connect/token
[2025-10-23 06:52:48.281][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-10-23 08:01:05.337][request][INFO] POST /identity/connect/token
[2025-10-23 08:01:10.431][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:01:10.431][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:01:10.431][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 08:33:02.418][request][INFO] POST /identity/connect/token
[2025-10-23 08:33:07.584][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:33:07.584][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:33:07.584][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 08:49:57.286][request][INFO] POST /identity/connect/token
[2025-10-23 08:50:02.333][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:50:02.333][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 08:50:02.333][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 09:02:37.420][request][INFO] GET /api/config
[2025-10-23 09:02:37.420][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 09:27:32.427][request][INFO] POST /identity/connect/token
[2025-10-23 09:27:37.337][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 09:27:37.337][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 09:27:37.337][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 10:02:05.245][request][INFO] POST /identity/connect/token
[2025-10-23 10:02:10.366][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 10:02:10.367][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 10:02:10.367][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 10:54:59.161][request][INFO] POST /identity/connect/token
[2025-10-23 10:55:04.236][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 10:55:04.237][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 10:55:04.237][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 11:12:22.196][request][INFO] POST /identity/connect/token
[2025-10-23 11:12:27.178][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 11:12:27.178][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 11:12:27.178][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 11:56:05.175][request][INFO] POST /identity/connect/token
[2025-10-23 11:56:10.265][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 11:56:10.265][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 11:56:10.265][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 12:26:05.232][request][INFO] POST /identity/connect/token
[2025-10-23 12:26:10.912][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 12:26:10.912][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-10-23 12:26:10.912][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-10-23 12:26:12.046][request][INFO] GET /api/config
[2025-10-23 12:26:12.047][response][INFO] (config) GET /api/config => 200 OK
[2025-10-23 12:26:12.052][request][INFO] GET /api/devices/knowndevice
[2025-10-23 12:26:12.053][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK

@samclark2015 commented on GitHub (Oct 23, 2025): Here is a longer log. Multiple clients authenticated in this span, so not sure how helpful this is to trace duplicate calls... Happy to provide any other info that would be useful! ``` [2025-10-22 22:23:38.203][request][INFO] POST /identity/connect/token [2025-10-22 22:23:45.353][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-22 22:23:45.899][request][INFO] GET /notifications/hub?access_token=<redacted> [2025-10-22 22:23:45.899][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 172.17.0.1 [2025-10-22 22:23:45.899][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2025-10-22 22:27:36.462][request][INFO] GET /api/config [2025-10-22 22:27:36.462][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:32:43.576][request][INFO] GET /api/config [2025-10-22 22:32:43.576][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:34:56.980][request][INFO] GET /api/config [2025-10-22 22:34:56.981][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:42:05.131][request][INFO] GET /api/config [2025-10-22 22:42:05.131][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:43:08.245][request][INFO] GET /api/config [2025-10-22 22:43:08.245][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:45:53.123][request][INFO] GET /api/config [2025-10-22 22:45:53.123][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:48:28.794][request][INFO] GET /api/config [2025-10-22 22:48:28.794][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 22:58:44.778][request][INFO] GET /api/config [2025-10-22 22:58:44.778][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:04:00.410][request][INFO] GET /api/config [2025-10-22 23:04:00.411][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:08:37.151][request][INFO] GET /api/config [2025-10-22 23:08:37.151][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:13:37.632][request][INFO] GET /api/config [2025-10-22 23:13:37.633][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:40:34.141][request][INFO] GET /api/config [2025-10-22 23:40:34.141][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:51:47.423][request][INFO] GET /api/config [2025-10-22 23:51:47.423][response][INFO] (config) GET /api/config => 200 OK [2025-10-22 23:54:16.289][vaultwarden::api::notifications][INFO] Closing WS connection from 172.17.0.1 [2025-10-22 23:58:29.123][request][INFO] POST /identity/connect/token [2025-10-22 23:58:36.587][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-22 23:58:37.092][request][INFO] GET /notifications/hub?access_token=<redacted> [2025-10-22 23:58:37.092][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 172.17.0.1 [2025-10-22 23:58:37.092][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2025-10-23 00:07:01.375][vaultwarden::api::notifications][INFO] Closing WS connection from 172.17.0.1 [2025-10-23 00:07:01.885][request][INFO] GET /api/config [2025-10-23 00:07:01.885][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 00:07:01.886][request][INFO] POST /identity/connect/token [2025-10-23 00:07:09.380][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-23 00:07:09.532][request][INFO] GET /api/sync?excludeDomains=true [2025-10-23 00:07:09.577][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-10-23 00:22:31.939][request][INFO] POST /identity/connect/token [2025-10-23 00:22:39.173][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-23 00:22:39.299][request][INFO] GET /api/sync?excludeDomains=true [2025-10-23 00:22:39.341][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-10-23 00:33:07.870][request][INFO] GET /api/config [2025-10-23 00:33:07.870][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 00:38:38.169][request][INFO] GET /api/config [2025-10-23 00:38:38.169][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 00:46:34.358][request][INFO] GET /api/config [2025-10-23 00:46:34.358][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 03:34:24.331][request][INFO] GET /api/config [2025-10-23 03:34:24.331][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 03:55:04.179][request][INFO] GET /api/config [2025-10-23 03:55:04.179][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 06:52:40.602][request][INFO] POST /identity/connect/token [2025-10-23 06:52:48.281][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-10-23 08:01:05.337][request][INFO] POST /identity/connect/token [2025-10-23 08:01:10.431][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:01:10.431][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:01:10.431][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 08:33:02.418][request][INFO] POST /identity/connect/token [2025-10-23 08:33:07.584][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:33:07.584][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:33:07.584][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 08:49:57.286][request][INFO] POST /identity/connect/token [2025-10-23 08:50:02.333][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:50:02.333][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 08:50:02.333][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 09:02:37.420][request][INFO] GET /api/config [2025-10-23 09:02:37.420][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 09:27:32.427][request][INFO] POST /identity/connect/token [2025-10-23 09:27:37.337][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 09:27:37.337][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 09:27:37.337][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 10:02:05.245][request][INFO] POST /identity/connect/token [2025-10-23 10:02:10.366][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 10:02:10.367][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 10:02:10.367][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 10:54:59.161][request][INFO] POST /identity/connect/token [2025-10-23 10:55:04.236][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 10:55:04.237][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 10:55:04.237][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 11:12:22.196][request][INFO] POST /identity/connect/token [2025-10-23 11:12:27.178][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 11:12:27.178][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 11:12:27.178][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 11:56:05.175][request][INFO] POST /identity/connect/token [2025-10-23 11:56:10.265][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 11:56:10.265][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 11:56:10.265][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 12:26:05.232][request][INFO] POST /identity/connect/token [2025-10-23 12:26:10.912][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 12:26:10.912][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) [2025-10-23 12:26:10.912][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-10-23 12:26:12.046][request][INFO] GET /api/config [2025-10-23 12:26:12.047][response][INFO] (config) GET /api/config => 200 OK [2025-10-23 12:26:12.052][request][INFO] GET /api/devices/knowndevice [2025-10-23 12:26:12.053][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK ```

kerem commented

Author

Owner

@Timshel commented on GitHub (Oct 27, 2025):

Hey,
So it does not look like the use case I was speaking of, since it used to manifest with two almost simultaneous POST /identity/connect/token with only one of the two working.

With a 90days refresh token validity I'm not sure what could be the source of the error :(.
Would you have a way to track in Authentik when the token was revoked ?

@Timshel commented on GitHub (Oct 27, 2025): Hey, So it does not look like the use case I was speaking of, since it used to manifest with two almost simultaneous `POST /identity/connect/token` with only one of the two working. With a 90days refresh token validity I'm not sure what could be the source of the error :(. Would you have a way to track in Authentik when the token was revoked ?

kerem commented

Author

Owner

@controlaltnerd commented on GitHub (Nov 12, 2025):

I seem to be having a similar issue. In my case, I'm getting the error [ERROR] Unable to refresh login credentials: Access token is close to expiration but we have no refresh token. I have access token expiration set to 10 minutes, and after I've logged in to Vaultwarden on either the web or through the Chrome extension, about 10 minutes later both will sign me out and the error will be logged.

Refresh token lifespan is set to 30 days, and I am able to verify that the refresh token is actually being passed from Authentik to the web frontend so my best guess at the moment is that somehow the access token is being used in place of the refresh token, which would suggest Vaultwarden is attempting to authenticate again rather than refresh. I could eliminate session handling and restrict it to authentication only, but I'm unsure of what the result would be. Would the session just persist for the duration of the Authentik login session?

@controlaltnerd commented on GitHub (Nov 12, 2025): I seem to be having a similar issue. In my case, I'm getting the error `[ERROR] Unable to refresh login credentials: Access token is close to expiration but we have no refresh token`. I have access token expiration set to 10 minutes, and after I've logged in to Vaultwarden on either the web or through the Chrome extension, about 10 minutes later both will sign me out and the error will be logged. Refresh token lifespan is set to 30 days, and I am able to verify that the refresh token is actually being passed from Authentik to the web frontend so my best guess at the moment is that somehow the access token is being used in place of the refresh token, which would suggest Vaultwarden is attempting to authenticate again rather than refresh. I could eliminate session handling and restrict it to authentication only, but I'm unsure of what the result would be. Would the session just persist for the duration of the Authentik login session?

kerem commented

Author

Owner

@0xmillennium commented on GitHub (Jan 21, 2026):

@Timshel You mentioned earlier that this invalid_grant loop might be caused by two refresh_token calls happening at the same time. I am experiencing a specific issue with OIDC (Authelia) where the session is killed exactly at the 1-hour mark (access token expiration) due to a race condition in the refresh flow.

Environment:

Server: Vaultwarden (Docker)

OIDC Provider: Authelia

Client: Bitwarden Browser Extension (Desktop/Mobile apps work fine)

Auth Method: client_secret_basic (since Vaultwarden does not seem to support client_secret_post yet)

The Issue:

I am encountering a session termination issue with the Bitwarden Browser Extension when using OIDC (Authelia). The logs confirm that the client is firing two identical refresh requests at the exact same millisecond.

Request A is processed successfully (Token A \rightarrow Token B).
Request B (processed milliseconds later) tries to use Token A again.
Authelia detects "Token Reuse," assumes theft, and revokes the entire token family.
The session is immediately killed (invalid_grant).

Logs:

Notice the timestamp 04:25:20.652. Two POST requests are initiated simultaneously.

vaultwarden  | [2026-01-21 04:25:10.972][request][INFO] GET /api/config
vaultwarden  | [2026-01-21 04:25:10.972][response][INFO] (config) GET /api/config => 200 OK
# --- THE RACE CONDITION STARTS HERE ---
vaultwarden  | [2026-01-21 04:25:20.652][request][INFO] POST /identity/connect/token  <-- Request #1
vaultwarden  | [2026-01-21 04:25:20.652][request][INFO] POST /identity/connect/token  <-- Request #2 (DUPLICATE at exact same ms)
# --------------------------------------
vaultwarden  | [2026-01-21 04:25:21.335][response][INFO] (login) POST /identity/connect/token => 200 OK  <-- Success (Token Rotated)
vaultwarden  | [2026-01-21 04:25:21.397][request][INFO] GET /api/config
vaultwarden  | [2026-01-21 04:25:21.397][response][INFO] (config) GET /api/config => 200 OK
# --- THE FAILURE ---
vaultwarden  | [2026-01-21 04:25:21.633][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant... or refresh token is invalid..."), error_uri: None })
vaultwarden  | [2026-01-21 04:25:21.633][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed
vaultwarden  | [2026-01-21 04:25:21.633][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized  <-- Session Killed due to reuse
# -------------------
vaultwarden  | [2026-01-21 04:25:21.744][request][INFO] GET /api/devices/knowndevice
vaultwarden  | [2026-01-21 04:25:21.746][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden  | [2026-01-21 04:25:22.055][request][INFO] GET /api/config
vaultwarden  | [2026-01-21 04:25:22.055][response][INFO] (config) GET /api/config => 200 OK
vaultwarden  | [2026-01-21 04:25:22.056][request][INFO] POST /identity/connect/token
vaultwarden  | [2026-01-21 04:25:22.453][response][INFO] (login) POST /identity/connect/token => 200 OK
vaultwarden  | [2026-01-21 04:25:22.595][request][INFO] GET /api/sync?excludeDomains=true
vaultwarden  | [2026-01-21 04:25:22.632][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
vaultwarden  | [2026-01-21 04:25:27.317][request][INFO] GET /api/devices/knowndevice
vaultwarden  | [2026-01-21 04:25:27.319][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK

Consistency & Impact: This issue happens every single time the token expiration is reached (100% reproducible). It is not an intermittent glitch.

The browser extension suffers a hard logout exactly when the access token expires (default 1 hour).
The silent refresh fails due to the 401 error, and the user is forced to manually re-authenticate via SSO. The extension acts as if the session is completely invalid.

Important Note: I do not want to use the workaround of setting extremely long Access Token lifespans (e.g. 30 days) to simply bypass the refresh loop. I aim to maintain secure, short-lived tokens with proper SSO management. Therefore, fixing this race condition/debounce issue is critical for my use case.

Is there a workaround to lock the refresh process or debounce these calls within Vaultwarden?

@0xmillennium commented on GitHub (Jan 21, 2026): @Timshel You mentioned earlier that this `invalid_grant` loop might be caused by two refresh_token calls happening at the same time. I am experiencing a specific issue with OIDC (Authelia) where the session is killed exactly at the 1-hour mark (access token expiration) due to a race condition in the refresh flow. ### Environment: **Server:** Vaultwarden (Docker) **OIDC Provider:** Authelia **Client:** Bitwarden Browser Extension (Desktop/Mobile apps work fine) **Auth Method:** `client_secret_basic` (since Vaultwarden does not seem to support `client_secret_post` yet) ### The Issue: I am encountering a session termination issue with the Bitwarden Browser Extension when using OIDC (Authelia). The logs confirm that the client is firing two identical refresh requests at the exact same millisecond. 1. **Request A** is processed successfully (Token A $\rightarrow$ Token B). 2. **Request B** (processed milliseconds later) tries to use Token A again. 3. Authelia detects "Token Reuse," assumes theft, and revokes the entire token family. 4. The session is immediately killed (`invalid_grant`). ### Logs: Notice the timestamp 04:25:20.652. Two POST requests are initiated simultaneously. ``` vaultwarden | [2026-01-21 04:25:10.972][request][INFO] GET /api/config vaultwarden | [2026-01-21 04:25:10.972][response][INFO] (config) GET /api/config => 200 OK # --- THE RACE CONDITION STARTS HERE --- vaultwarden | [2026-01-21 04:25:20.652][request][INFO] POST /identity/connect/token <-- Request #1 vaultwarden | [2026-01-21 04:25:20.652][request][INFO] POST /identity/connect/token <-- Request #2 (DUPLICATE at exact same ms) # -------------------------------------- vaultwarden | [2026-01-21 04:25:21.335][response][INFO] (login) POST /identity/connect/token => 200 OK <-- Success (Token Rotated) vaultwarden | [2026-01-21 04:25:21.397][request][INFO] GET /api/config vaultwarden | [2026-01-21 04:25:21.397][response][INFO] (config) GET /api/config => 200 OK # --- THE FAILURE --- vaultwarden | [2026-01-21 04:25:21.633][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant... or refresh token is invalid..."), error_uri: None }) vaultwarden | [2026-01-21 04:25:21.633][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed vaultwarden | [2026-01-21 04:25:21.633][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized <-- Session Killed due to reuse # ------------------- vaultwarden | [2026-01-21 04:25:21.744][request][INFO] GET /api/devices/knowndevice vaultwarden | [2026-01-21 04:25:21.746][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK vaultwarden | [2026-01-21 04:25:22.055][request][INFO] GET /api/config vaultwarden | [2026-01-21 04:25:22.055][response][INFO] (config) GET /api/config => 200 OK vaultwarden | [2026-01-21 04:25:22.056][request][INFO] POST /identity/connect/token vaultwarden | [2026-01-21 04:25:22.453][response][INFO] (login) POST /identity/connect/token => 200 OK vaultwarden | [2026-01-21 04:25:22.595][request][INFO] GET /api/sync?excludeDomains=true vaultwarden | [2026-01-21 04:25:22.632][response][INFO] (sync) GET /api/sync?<data..> => 200 OK vaultwarden | [2026-01-21 04:25:27.317][request][INFO] GET /api/devices/knowndevice vaultwarden | [2026-01-21 04:25:27.319][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK ``` **Consistency & Impact:** This issue happens every single time the token expiration is reached (100% reproducible). It is not an intermittent glitch. - The browser extension suffers a hard logout exactly when the access token expires (default 1 hour). - The silent refresh fails due to the 401 error, and the user is forced to manually re-authenticate via SSO. The extension acts as if the session is completely invalid. **Important Note:** I do not want to use the workaround of setting extremely long Access Token lifespans (e.g. 30 days) to simply bypass the refresh loop. I aim to maintain secure, short-lived tokens with proper SSO management. Therefore, fixing this race condition/debounce issue is critical for my use case. Is there a workaround to lock the refresh process or debounce these calls within Vaultwarden?

kerem commented

Author

Owner

@Timshel commented on GitHub (Jan 28, 2026):

@0xmillennium Hey not sure why it's happening only with the browser extension. It should share the same code as the desktop/web app :(.
I contributed a fix (https://github.com/bitwarden/clients/pull/10799) last year which should prevent the issue :(.
I'll try to have a look to see if I can find something.

@Timshel commented on GitHub (Jan 28, 2026): @0xmillennium Hey not sure why it's happening only with the browser extension. It should share the same code as the desktop/web app :(. I contributed a fix (https://github.com/bitwarden/clients/pull/10799) last year which should prevent the issue :(. I'll try to have a look to see if I can find something.

kerem commented

Author

Owner

@faustlod commented on GitHub (Feb 9, 2026):

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions[x] I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.34.3-a2ad1dc7

Web-vault version: v2025.8.0

OS/Arch: linux/aarch64

Running within a container: true (Base: Debian)

Database type: SQLite

Database version: 3.50.2

Uses config.json: true

Uses a reverse proxy: true

IP Header check: true (X-Forwarded-For)

Internet access: true

Internet access via a proxy: false

DNS Check: true

Browser/Server Time Check: true

Server/NTP Time Check: true

Domain Configuration Check: true

HTTPS Check: true

Websocket Check: false

HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details
Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED

Config:

{
"_duo_akey": null,
"_enable_duo": true,
"_enable_email_2fa": false,
"_enable_smtp": true,
"_enable_yubico": true,
"_icon_service_csp": "",
"_icon_service_url": "",
"_ip_header_enabled": true,
"_max_note_size": 10000,
"_smtp_img_src": ":",
"admin_ratelimit_max_burst": 3,
"admin_ratelimit_seconds": 300,
"admin_session_lifetime": 20,
"admin_token": "",
"allowed_connect_src": "",
"allowed_iframe_ancestors": "",
"attachments_folder": "data/attachments",
"auth_request_purge_schedule": "30 * * * * ",
"authenticator_disable_time_drift": false,
"data_folder": "data",
"database_conn_init": "",
"database_idle_timeout": 600,
"database_max_conns": 10,
"database_min_conns": 2,
"database_timeout": 30,
"database_url": "",
"db_connection_retries": 15,
"disable_2fa_remember": false,
"disable_admin_token": false,
"disable_icon_download": false,
"domain": "://",
"domain_origin": "://",
"domain_path": "",
"domain_set": true,
"duo_context_purge_schedule": "30 * * * * ",
"duo_host": null,
"duo_ikey": null,
"duo_skey": null,
"duo_use_iframe": false,
"email_2fa_auto_fallback": false,
"email_2fa_enforce_on_verified_invite": false,
"email_attempts_limit": 3,
"email_change_allowed": true,
"email_expiration_time": 600,
"email_token_size": 6,
"emergency_access_allowed": true,
"emergency_notification_reminder_schedule": "0 3 * * * ",
"emergency_request_timeout_schedule": "0 7 * * * ",
"enable_db_wal": true,
"enable_websocket": true,
"enforce_single_org_with_reset_pw_policy": false,
"event_cleanup_schedule": "0 10 0 * * ",
"events_days_retain": null,
"experimental_client_feature_flags": "",
"extended_logging": true,
"helo_name": null,
"hibp_api_key": null,
"http_request_block_non_global_ips": true,
"http_request_block_regex": null,
"icon_blacklist_non_global_ips": true,
"icon_blacklist_regex": null,
"icon_cache_folder": "data/icon_cache",
"icon_cache_negttl": 259200,
"icon_cache_ttl": 2592000,
"icon_download_timeout": 10,
"icon_redirect_code": 302,
"icon_service": "internal",
"incomplete_2fa_schedule": "30 * * * * ",
"incomplete_2fa_time_limit": 3,
"increase_note_size_limit": false,
"invitation_expiration_hours": 120,
"invitation_org_name": "Vaultwarden",
"invitations_allowed": true,
"ip_header": "X-Forwarded-For",
"job_poll_interval_ms": 30000,
"log_file": null,
"log_level": "info",
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"login_ratelimit_max_burst": 10,
"login_ratelimit_seconds": 60,
"org_attachment_limit": null,
"org_creation_users": "",
"org_events_enabled": false,
"org_groups_enabled": false,
"password_hints_allowed": true,
"password_iterations": 600000,
"purge_incomplete_sso_nonce": "0 20 0 * * ",
"push_enabled": false,
"push_identity_uri": "https://identity.bitwarden.com",
"push_installation_id": "",
"push_installation_key": "",
"push_relay_uri": "https://push.bitwarden.com",
"reload_templates": false,
"require_device_email": false,
"rsa_key_filename": "data/rsa_key",
"send_purge_schedule": "0 5 * * * ",
"sendmail_command": null,
"sends_allowed": true,
"sends_folder": "data/sends",
"show_password_hint": false,
"signups_allowed": false,
"signups_domains_whitelist": "",
"signups_verify": false,
"signups_verify_resend_limit": 6,
"signups_verify_resend_time": 3600,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"smtp_auth_mechanism": null,
"smtp_debug": false,
"smtp_embed_images": true,
"smtp_explicit_tls": null,
"smtp_from": "******************",
"smtp_from_name": "Vaultwarden",
"smtp_host": "",
"smtp_password": "",
"smtp_port": 587,
"smtp_security": "starttls",
"smtp_ssl": null,
"smtp_timeout": 15,
"smtp_username": "",
"sso_allow_unknown_email_verification": false,
"sso_audience_trusted": null,
"sso_auth_only_not_session": false,
"sso_authority": "://",
"sso_authorize_extra_params": "",
"sso_callback_path": "://",
"sso_client_cache_expiration": 0,
"sso_client_id": "************",
"sso_client_secret": "",
"sso_debug_tokens": false,
"sso_enabled": true,
"sso_master_password_policy": null,
"sso_only": true,
"sso_pkce": true,
"sso_scopes": "email profile offline_access",
"sso_signups_match_email": true,
"templates_folder": "data/templates",
"tmp_folder": "data/tmp",
"trash_auto_delete_days": null,
"trash_purge_schedule": "0 5 0 * * *",
"use_sendmail": false,
"use_syslog": false,
"user_attachment_limit": null,
"user_send_limit": null,
"web_vault_enabled": true,
"web_vault_folder": "web-vault/",
"yubico_client_id": null,
"yubico_secret_key": null,
"yubico_server": null
}

Vaultwarden Build Version

1.34.3-a2ad1dc7

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

traefik v3.1.2

Host/Server Operating System

Linux

Operating System Version

Ubuntu 25.04

Clients

Desktop, Browser Extension, Android

Client Version

Desktop - 2025.7.0, Firefox - 2025.8.2, Android - 2025.8.1

Steps To Reproduce

Enable SSO with Authentik as detailed in the documentation.

Access code validity: minutes=1

Access Token validity: minutes=15

Refresh Token validity: days=90

Use Vaultwarden as usual

Expected Result

Vaultwarden utilizes the refresh token provided by Authentik to keep session alive, exchanging after Access Token validity period for a new access token. User prompted for login after Refresh Token validity period.

Actual Result

User is prompted for SSO login anywhere from hours to a week after initial login.

Logs
Vaultwarden:
[2025-09-14 14:01:39.786][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2025-09-14 14:01:39.786][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })


Authentik:
{
    "token": {
        "pk": 89,
        "app": "authentik_providers_oauth2",
        "name": "Refresh Token for 2 for user 6",
        "model_name": "refreshtoken"
    },
    "message": "Revoked refresh token was used",
    "provider": {
        "pk": 2,
        "app": "authentik_providers_oauth2",
        "name": "Provider for Vaultwarden",
        "model_name": "oauth2provider"
    },
    "http_request": {
        "args": {},
        "path": "/application/o/token/",
        "method": "POST",
        "request_id": "<redacted>",
        "user_agent": ""
    }
}
Screenshots or Videos

No response

Additional Context

Using Authentik v2025.8.1, though appeared on earlier releases.

@faustlod commented on GitHub (Feb 9, 2026): > ### Prerequisites > * [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=)[x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) > > ### Vaultwarden Support String > ### Your environment (Generated via diagnostics page) > * Vaultwarden version: v1.34.3-a2ad1dc7 > * Web-vault version: v2025.8.0 > * OS/Arch: linux/aarch64 > * Running within a container: true (Base: Debian) > * Database type: SQLite > * Database version: 3.50.2 > * Uses config.json: true > * Uses a reverse proxy: true > * IP Header check: true (X-Forwarded-For) > * Internet access: true > * Internet access via a proxy: false > * DNS Check: true > * Browser/Server Time Check: true > * Server/NTP Time Check: true > * Domain Configuration Check: true > * HTTPS Check: true > * Websocket Check: false > * HTTP Response Checks: true > > ### Config & Details (Generated via diagnostics page) > Show Config & Details > **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED > > **Config:** > > { > "_duo_akey": null, > "_enable_duo": true, > "_enable_email_2fa": false, > "_enable_smtp": true, > "_enable_yubico": true, > "_icon_service_csp": "", > "_icon_service_url": "", > "_ip_header_enabled": true, > "_max_note_size": 10000, > "_smtp_img_src": "***:", > "admin_ratelimit_max_burst": 3, > "admin_ratelimit_seconds": 300, > "admin_session_lifetime": 20, > "admin_token": "***", > "allowed_connect_src": "", > "allowed_iframe_ancestors": "", > "attachments_folder": "data/attachments", > "auth_request_purge_schedule": "30 * * * * *", > "authenticator_disable_time_drift": false, > "data_folder": "data", > "database_conn_init": "", > "database_idle_timeout": 600, > "database_max_conns": 10, > "database_min_conns": 2, > "database_timeout": 30, > "database_url": "***************", > "db_connection_retries": 15, > "disable_2fa_remember": false, > "disable_admin_token": false, > "disable_icon_download": false, > "domain": "*****://***********************", > "domain_origin": "*****://***********************", > "domain_path": "", > "domain_set": true, > "duo_context_purge_schedule": "30 * * * * *", > "duo_host": null, > "duo_ikey": null, > "duo_skey": null, > "duo_use_iframe": false, > "email_2fa_auto_fallback": false, > "email_2fa_enforce_on_verified_invite": false, > "email_attempts_limit": 3, > "email_change_allowed": true, > "email_expiration_time": 600, > "email_token_size": 6, > "emergency_access_allowed": true, > "emergency_notification_reminder_schedule": "0 3 * * * *", > "emergency_request_timeout_schedule": "0 7 * * * *", > "enable_db_wal": true, > "enable_websocket": true, > "enforce_single_org_with_reset_pw_policy": false, > "event_cleanup_schedule": "0 10 0 * * *", > "events_days_retain": null, > "experimental_client_feature_flags": "", > "extended_logging": true, > "helo_name": null, > "hibp_api_key": null, > "http_request_block_non_global_ips": true, > "http_request_block_regex": null, > "icon_blacklist_non_global_ips": true, > "icon_blacklist_regex": null, > "icon_cache_folder": "data/icon_cache", > "icon_cache_negttl": 259200, > "icon_cache_ttl": 2592000, > "icon_download_timeout": 10, > "icon_redirect_code": 302, > "icon_service": "internal", > "incomplete_2fa_schedule": "30 * * * * *", > "incomplete_2fa_time_limit": 3, > "increase_note_size_limit": false, > "invitation_expiration_hours": 120, > "invitation_org_name": "Vaultwarden", > "invitations_allowed": true, > "ip_header": "X-Forwarded-For", > "job_poll_interval_ms": 30000, > "log_file": null, > "log_level": "info", > "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", > "login_ratelimit_max_burst": 10, > "login_ratelimit_seconds": 60, > "org_attachment_limit": null, > "org_creation_users": "", > "org_events_enabled": false, > "org_groups_enabled": false, > "password_hints_allowed": true, > "password_iterations": 600000, > "purge_incomplete_sso_nonce": "0 20 0 * * *", > "push_enabled": false, > "push_identity_uri": "https://identity.bitwarden.com", > "push_installation_id": "***", > "push_installation_key": "***", > "push_relay_uri": "https://push.bitwarden.com", > "reload_templates": false, > "require_device_email": false, > "rsa_key_filename": "data/rsa_key", > "send_purge_schedule": "0 5 * * * *", > "sendmail_command": null, > "sends_allowed": true, > "sends_folder": "data/sends", > "show_password_hint": false, > "signups_allowed": false, > "signups_domains_whitelist": "", > "signups_verify": false, > "signups_verify_resend_limit": 6, > "signups_verify_resend_time": 3600, > "smtp_accept_invalid_certs": false, > "smtp_accept_invalid_hostnames": false, > "smtp_auth_mechanism": null, > "smtp_debug": false, > "smtp_embed_images": true, > "smtp_explicit_tls": null, > "smtp_from": "*******************", > "smtp_from_name": "Vaultwarden", > "smtp_host": "********************", > "smtp_password": "***", > "smtp_port": 587, > "smtp_security": "starttls", > "smtp_ssl": null, > "smtp_timeout": 15, > "smtp_username": "************************", > "sso_allow_unknown_email_verification": false, > "sso_audience_trusted": null, > "sso_auth_only_not_session": false, > "sso_authority": "*****://************************************************", > "sso_authorize_extra_params": "", > "sso_callback_path": "*****://****************************************************", > "sso_client_cache_expiration": 0, > "sso_client_id": "****************************************", > "sso_client_secret": "***", > "sso_debug_tokens": false, > "sso_enabled": true, > "sso_master_password_policy": null, > "sso_only": true, > "sso_pkce": true, > "sso_scopes": "email profile offline_access", > "sso_signups_match_email": true, > "templates_folder": "data/templates", > "tmp_folder": "data/tmp", > "trash_auto_delete_days": null, > "trash_purge_schedule": "0 5 0 * * *", > "use_sendmail": false, > "use_syslog": false, > "user_attachment_limit": null, > "user_send_limit": null, > "web_vault_enabled": true, > "web_vault_folder": "web-vault/", > "yubico_client_id": null, > "yubico_secret_key": null, > "yubico_server": null > } > ### Vaultwarden Build Version > 1.34.3-a2ad1dc7 > > ### Deployment method > Official Container Image > > ### Custom deployment method > _No response_ > > ### Reverse Proxy > traefik v3.1.2 > > ### Host/Server Operating System > Linux > > ### Operating System Version > Ubuntu 25.04 > > ### Clients > Desktop, Browser Extension, Android > > ### Client Version > Desktop - 2025.7.0, Firefox - 2025.8.2, Android - 2025.8.1 > > ### Steps To Reproduce > 1. Enable SSO with Authentik as detailed in the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#authentik). > > * Access code validity: `minutes=1` > * Access Token validity: `minutes=15` > * Refresh Token validity: `days=90` > > 2. Use Vaultwarden as usual > > ### Expected Result > Vaultwarden utilizes the refresh token provided by Authentik to keep session alive, exchanging after Access Token validity period for a new access token. User prompted for login after Refresh Token validity period. > > ### Actual Result > User is prompted for SSO login anywhere from hours to a week after initial login. > > ### Logs > ``` > Vaultwarden: > [2025-09-14 14:01:39.786][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) > [2025-09-14 14:01:39.786][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None }) > > > Authentik: > { > "token": { > "pk": 89, > "app": "authentik_providers_oauth2", > "name": "Refresh Token for 2 for user 6", > "model_name": "refreshtoken" > }, > "message": "Revoked refresh token was used", > "provider": { > "pk": 2, > "app": "authentik_providers_oauth2", > "name": "Provider for Vaultwarden", > "model_name": "oauth2provider" > }, > "http_request": { > "args": {}, > "path": "/application/o/token/", > "method": "POST", > "request_id": "<redacted>", > "user_agent": "" > } > } > ``` > > ### Screenshots or Videos > _No response_ > > ### Additional Context > Using Authentik v2025.8.1, though appeared on earlier releases.

kerem commented

Author

Owner

@faustlod commented on GitHub (Feb 9, 2026):

Could you show me your Docker Compose configuration settings for SSO, your Authentik configuration, and your Traefik middleware configuration? Unfortunately, SSO is not working for me at all:

Failed to discover OpenID provider: Request failed","validationErrors":{"":["Failed to discover OpenID provider: Request failed"]}," errorModel":{"message":"Failed to discover OpenID provider: Request failed","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"}

Thank you!

@faustlod commented on GitHub (Feb 9, 2026): Could you show me your Docker Compose configuration settings for SSO, your Authentik configuration, and your Traefik middleware configuration? Unfortunately, SSO is not working for me at all: Failed to discover OpenID provider: Request failed","validationErrors":{"":["Failed to discover OpenID provider: Request failed"]}," errorModel":{"message":"Failed to discover OpenID provider: Request failed","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"} Thank you!

kerem commented

Author

Owner

@gelbphoenix commented on GitHub (Feb 10, 2026):

Could you show me your Docker Compose configuration settings for SSO, your Authentik configuration, and your Traefik middleware configuration? Unfortunately, SSO is not working for me at all:

Failed to discover OpenID provider: Request failed","validationErrors":{"":["Failed to discover OpenID provider: Request failed"]}," errorModel":{"message":"Failed to discover OpenID provider: Request failed","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"}

Thank you!

Have you set the SSO_AUTHORITY to your specific authority URL? If the .well-known/openid-configuration page is under https://application.company/oidc/.well-known/openid-configuration then must SSO_AUTHORITY be set to https://application.company/oidc.

@gelbphoenix commented on GitHub (Feb 10, 2026): > Could you show me your Docker Compose configuration settings for SSO, your Authentik configuration, and your Traefik middleware configuration? Unfortunately, SSO is not working for me at all: > > Failed to discover OpenID provider: Request failed","validationErrors":{"":["Failed to discover OpenID provider: Request failed"]}," errorModel":{"message":"Failed to discover OpenID provider: Request failed","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"} > > Thank you! Have you set the `SSO_AUTHORITY` to your specific authority URL? If the `.well-known/openid-configuration` page is under `https://application.company/oidc/.well-known/openid-configuration` then must `SSO_AUTHORITY` be set to `https://application.company/oidc`.

kerem commented

Author

Owner

@faustlod commented on GitHub (Feb 16, 2026):

Could you show me your Docker Compose configuration settings for SSO, your Authentik configuration, and your Traefik middleware configuration? Unfortunately, SSO is not working for me at all:
Failed to discover OpenID provider: Request failed","validationErrors":{"":["Failed to discover OpenID provider: Request failed"]}," errorModel":{"message":"Failed to discover OpenID provider: Request failed","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"}
Thank you!

Have you set the SSO_AUTHORITY to your specific authority URL? If the .well-known/openid-configuration page is under https://application.company/oidc/.well-known/openid-configuration then must SSO_AUTHORITY be set to https://application.company/oidc.

Thank you for your comment!

Unfortunately, it still doesn't work. SSO_AUTHORITY was set, I use Authentik, so I set it up as follows:

OpenID Configuration in authentik: https://auth.mydomain.tld/application/o/vaultwarden/.well-known/openid-configuration

SSO_AUTHORITY: https://auth.mydomain.tld/application/o/vaultwarden/ (tried with and without the / at the end)

Unfortunately, the error still persists.

@faustlod commented on GitHub (Feb 16, 2026): > > Could you show me your Docker Compose configuration settings for SSO, your Authentik configuration, and your Traefik middleware configuration? Unfortunately, SSO is not working for me at all: > > Failed to discover OpenID provider: Request failed","validationErrors":{"":["Failed to discover OpenID provider: Request failed"]}," errorModel":{"message":"Failed to discover OpenID provider: Request failed","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"} > > Thank you! > > Have you set the `SSO_AUTHORITY` to your specific authority URL? If the `.well-known/openid-configuration` page is under `https://application.company/oidc/.well-known/openid-configuration` then must `SSO_AUTHORITY` be set to `https://application.company/oidc`. Thank you for your comment! Unfortunately, it still doesn't work. SSO_AUTHORITY was set, I use Authentik, so I set it up as follows: OpenID Configuration in authentik: https://auth.mydomain.tld/application/o/vaultwarden/.well-known/openid-configuration SSO_AUTHORITY: https://auth.mydomain.tld/application/o/vaultwarden/ (tried with and without the / at the end) Unfortunately, the error still persists.

kerem commented

Author

Owner

@ChristianKilmer commented on GitHub (Feb 18, 2026):

I just wanted to chime in to mention that I am also experiencing this exact same issue, but with Authelia. At least this confirms that the issue is in Vaultwarden and not related to an OIDC provider.

Here's a log dump, please let me know if you'd like to see this with debug-level logs or something and I'd be happy to provide.

[2026-02-18 22:08:26.139][request][INFO] POST /identity/connect/token
[2026-02-18 22:08:26.397][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None })
[2026-02-18 22:08:26.397][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None })
[2026-02-18 22:08:26.397][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2026-02-18 22:08:27.383][request][INFO] POST /identity/connect/token
[2026-02-18 22:08:27.394][vaultwarden::auth][ERROR] SSO is now required, Login again
[2026-02-18 22:08:27.394][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: SSO is now required, Login again
[2026-02-18 22:08:27.394][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized

@ChristianKilmer commented on GitHub (Feb 18, 2026): I just wanted to chime in to mention that I am also experiencing this exact same issue, but with Authelia. At least this confirms that the issue is in Vaultwarden and not related to an OIDC provider. Here's a log dump, please let me know if you'd like to see this with debug-level logs or something and I'd be happy to provide. ``` [2026-02-18 22:08:26.139][request][INFO] POST /identity/connect/token [2026-02-18 22:08:26.397][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None }) [2026-02-18 22:08:26.397][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None }) [2026-02-18 22:08:26.397][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2026-02-18 22:08:27.383][request][INFO] POST /identity/connect/token [2026-02-18 22:08:27.394][vaultwarden::auth][ERROR] SSO is now required, Login again [2026-02-18 22:08:27.394][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: SSO is now required, Login again [2026-02-18 22:08:27.394][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized ```

kerem commented

Author

Owner

@rharish101 commented on GitHub (Feb 18, 2026):

I'm facing the same issue as @0xmillennium, also with Authelia. My logs also show two identical calls for the refresh token made at the same time, which happen both with the desktop browser extension in Firefox and the Bitwarden app on Android.

@rharish101 commented on GitHub (Feb 18, 2026): I'm facing the same issue as @0xmillennium, also with Authelia. My logs also show two identical calls for the refresh token made at the same time, which happen both with the desktop browser extension in Firefox and the Bitwarden app on Android.

kerem commented

Author

Owner

@rharish101 commented on GitHub (Feb 19, 2026):

I added SSO_AUTH_ONLY_NOT_SESSION=true, and it seems to work so far (just been 1 day since the addition of this env var) on my Android device with Bitwarden from Google Play. However, the Bitwarden extension on Firefox desktop (Linux) ALWAYS stops working after I close and reopen the browser.

EDIT: Here's my Vaultwarden config:

DATA_FOLDER=/var/lib/vaultwarden
DOMAIN=https://vault.example.com
PUSH_ENABLED=true
PUSH_IDENTITY_URI=https://identity.bitwarden.eu
PUSH_RELAY_URI=https://api.bitwarden.eu
ROCKET_ADDRESS=0.0.0.0
ROCKET_PORT=6062
SMTP_FROM=vault@example.com
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USERNAME=example@gmail.com
SSO_AUTHORITY=https://auth.example.com
SSO_AUTH_ONLY_NOT_SESSION=true
SSO_CLIENT_ID=<client-id>
SSO_ENABLED=true
SSO_ONLY=true
SSO_SCOPES=email profile offline_access
WEB_VAULT_FOLDER=/nix/store/<hash>-vaultwarden-webvault-2026.1.0+0/share/vaultwarden/vault
DATABASE_URL=postgres://vaultwarden:<password>@<ip-address>/vaultwarden
SMTP_PASSWORD=<password>
SSO_CLIENT_SECRET=<client-secret>
PUSH_INSTALLATION_ID=<push-id>
PUSH_INSTALLATION_KEY=<push-key>

And here's my Authelia config for Vaultwarden (in Nix format):

{
  client_id = "<client-id>";
  client_name = "Vaultwarden";
  client_secret = "<client-secret-hash>";
  redirect_uris = [
    "https://vault.example.com/identity/connect/oidc-signin"
  ];
  scopes = [
    "openid"
    "email"
    "profile"
    "offline_access"
  ];
  response_types = [ "code" ];
  grant_types = [
    "refresh_token"
    "authorization_code"
  ];
  pre_configured_consent_duration = "1 month";
}

@rharish101 commented on GitHub (Feb 19, 2026): I added `SSO_AUTH_ONLY_NOT_SESSION=true`, and it seems to work so far (just been 1 day since the addition of this env var) on my Android device with Bitwarden from Google Play. However, the Bitwarden extension on Firefox desktop (Linux) **ALWAYS** stops working after I close and reopen the browser. **EDIT:** Here's my Vaultwarden config: ```bash DATA_FOLDER=/var/lib/vaultwarden DOMAIN=https://vault.example.com PUSH_ENABLED=true PUSH_IDENTITY_URI=https://identity.bitwarden.eu PUSH_RELAY_URI=https://api.bitwarden.eu ROCKET_ADDRESS=0.0.0.0 ROCKET_PORT=6062 SMTP_FROM=vault@example.com SMTP_HOST=smtp.gmail.com SMTP_PORT=587 SMTP_USERNAME=example@gmail.com SSO_AUTHORITY=https://auth.example.com SSO_AUTH_ONLY_NOT_SESSION=true SSO_CLIENT_ID=<client-id> SSO_ENABLED=true SSO_ONLY=true SSO_SCOPES=email profile offline_access WEB_VAULT_FOLDER=/nix/store/<hash>-vaultwarden-webvault-2026.1.0+0/share/vaultwarden/vault DATABASE_URL=postgres://vaultwarden:<password>@<ip-address>/vaultwarden SMTP_PASSWORD=<password> SSO_CLIENT_SECRET=<client-secret> PUSH_INSTALLATION_ID=<push-id> PUSH_INSTALLATION_KEY=<push-key> ``` And here's my Authelia config for Vaultwarden (in Nix format): ```nix { client_id = "<client-id>"; client_name = "Vaultwarden"; client_secret = "<client-secret-hash>"; redirect_uris = [ "https://vault.example.com/identity/connect/oidc-signin" ]; scopes = [ "openid" "email" "profile" "offline_access" ]; response_types = [ "code" ]; grant_types = [ "refresh_token" "authorization_code" ]; pre_configured_consent_duration = "1 month"; } ```

kerem commented

Author

Owner

@Timshel commented on GitHub (Feb 20, 2026):

@rharish101 yes the SSO_AUTH_ONLY_NOT_SESSION bypass your provider and use the default Vaultwarden session which does not care if you reuse an old refresh token.

Tried to trigger the issue again but even with a 2min access token (Bitwarden consider <5min expired), the application spam call to the token endpoint but had no parallel calls.

ALWAYS stops working after I close and reopen the browser.

Not sure what you mean by that ? do you have to login again ?

@ChristianKilmer do you have any information on authelia side why the call was denied ? because

The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

Is vague.

@faustlod not sure if it might help to troubleshoot, but I just updated the Authentik docker compose debug/demo stack I use. It uses OIDCWarden (the client allow connection over http) but the configuration should be the same.

@Timshel commented on GitHub (Feb 20, 2026): @rharish101 yes the `SSO_AUTH_ONLY_NOT_SESSION` bypass your provider and use the default Vaultwarden session which does not care if you reuse an old refresh token. Tried to trigger the issue again but even with a 2min access token (Bitwarden consider <5min expired), the application spam call to the token endpoint but had no parallel calls. > ALWAYS stops working after I close and reopen the browser. Not sure what you mean by that ? do you have to login again ? @ChristianKilmer do you have any information on authelia side why the call was denied ? because ``` The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. ``` Is vague. @faustlod not sure if it might help to troubleshoot, but I just updated the Authentik docker compose [debug/demo stack](https://github.com/Timshel/OIDCWarden/tree/main/docker/authentik) I use. It uses OIDCWarden (the client allow connection over `http`) but the configuration should be the same.

kerem commented

Author

Owner

@rharish101 commented on GitHub (Feb 20, 2026):

ALWAYS stops working after I close and reopen the browser.

Not sure what you mean by that ? do you have to login again ?

Yes indeed. I have to relogin with Authelia. I also waited for the 5 minute timeout that I set in the extension's settings. When it's just supposed to lock the vault, it actually ends up logging me out altogether.

@rharish101 commented on GitHub (Feb 20, 2026): > > ALWAYS stops working after I close and reopen the browser. > > Not sure what you mean by that ? do you have to login again ? Yes indeed. I have to relogin with Authelia. I also waited for the 5 minute timeout that I set in the extension's settings. When it's just supposed to lock the vault, it actually ends up logging me out altogether.

kerem commented

Author

Owner

@ChristianKilmer commented on GitHub (Feb 20, 2026):

@Timshel I noticed something interesting today. If you'd like to see a recording of this, I can show you, but hopefully this makes sense.
I have since set SSO_AUTH_ONLY_NOT_SESSION=true as the obvious workaround, but noticed the weirdest phenomenon in the logs despite that. While watching the logs, I noticed that every single time the Bitwarden desktop application is minimized (not even closed!) I get this error sequence...

[2026-02-20 22:38:28.744][vaultwarden::auth][ERROR] SSO is now required, Login again
[2026-02-20 22:38:28.744][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: SSO is now required, Login again
[2026-02-20 22:38:28.745][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized

That's not even the weirdest thing. What's really crazy to me is that every single time I change browser tabs, the exact same thing happens! I don't even have a Vaultwarden tab open, so that tells me that its just the simple act of the browser extension being refreshed.

In all of the above situations, I have been logged in and my session has been functional. I have confirmed this by making edits to items in the desktop and browser extensions, seeing successful POST operations in the logs, and verifying that the change took place. Despite that, I still see this message every single time. I have also confirmed that it is no related to the state of SSO_AUTH_ONLY_NOT_SESSION by trying it both ways.

Now to your question, I have set SSO_AUTH_ONLY_NOT_SESSION=false again, but have not been able to replicate the issue yet. Once it starts happening, I will reply with my logs.

@ChristianKilmer commented on GitHub (Feb 20, 2026): @Timshel I noticed something interesting today. If you'd like to see a recording of this, I can show you, but hopefully this makes sense. I have since set `SSO_AUTH_ONLY_NOT_SESSION=true` as the obvious workaround, but noticed the weirdest phenomenon in the logs despite that. While watching the logs, I noticed that every single time the Bitwarden desktop application is *minimized* (not even closed!) I get this error sequence... ``` [2026-02-20 22:38:28.744][vaultwarden::auth][ERROR] SSO is now required, Login again [2026-02-20 22:38:28.744][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: SSO is now required, Login again [2026-02-20 22:38:28.745][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized ``` That's not even the weirdest thing. What's *really* crazy to me is that every single time I change browser tabs, the exact same thing happens! I don't even have a Vaultwarden tab open, so that tells me that its just the simple act of the browser extension being refreshed. In all of the above situations, I have been logged in and my session has been functional. I have confirmed this by making edits to items in the desktop and browser extensions, seeing successful POST operations in the logs, and verifying that the change took place. Despite that, I still see this message every single time. I have also confirmed that it is no related to the state of `SSO_AUTH_ONLY_NOT_SESSION` by trying it both ways. Now to your question, I have set `SSO_AUTH_ONLY_NOT_SESSION=false` again, but have not been able to replicate the issue yet. Once it starts happening, I will reply with my logs.

kerem commented

Author

Owner

@ChristianKilmer commented on GitHub (Feb 21, 2026):

Alright, so this is my uninformed opinion on a potential fix after looking at some of the codebase. I am not a professional, so please take this with a grain of salt.

It looks like maybe you're treating the SSO refresh tokens as stateless? They're being pushed to clients using JWTs rather than remembering them on the server. When the OIDC provider rotates the token, concurrent client requests all carry the same token, and after the first one succeeds, the provider revokes that token, causing all subsequent concurrent requests to fail. I suspect that when multiple Bitwarden clients (web, desktop, mobile, etc.) see that a token is nearing expiry, they all request at the exact same time. You mentioning in an earlier comment that multiple calls to refresh_token can cause this issue combined with what I saw today so far is what put me down this rabbit hole, and I think that accurately reflects what is happening.

My proposal would be adding something like an sso_refresh_token to the devices table of your db schema as a nullable (non-SSO users) text field. This way, the server always knows the current valid token. The existing refresh_token column is actually Vaultwarden's own device lookup token rather than the OIDC provider's token, which confused me initially (I could be wrong about this).

This SSO refresh token could then be saved after a successful login. Perhaps in src/api/identity.rs, you could have an action where upon a successful token exchange, before the device is saved, something like device.sso_refresh_token = sso_refresh_token.map(|t| t.to_string()); could be run to save the token server-side in the database.

Now, the actual bug fix... This is where I think I somewhat fall apart, but I'll let you decide. Also in the src/api/identity.rs file, under the _refresh_login function... instead of unpacking the OIDC token from the client's JWT, read it from the new device.sso_refresh_token. After a successful exchange, save the new one back. I simply do not have know-how to write this out for myself in Rust, and don't want to throw vibe-code at you that I myself don't even understand.

Because the server now stores the token in the db, even if multiple requests arrive simultaneously, the second one can detect that the first already updated the stored token. The server can either retry with the new token or return the cached result. The OIDC provider only should ever see one request with each token. And by storing the token server-side, you'd no longer depend on the client's JWT wrapper correctly preserving it. Even in the freak scenario that the JWT wrapping logic causes the OIDC token to get lost, the server's database copy can still be used. Just some gravy, but maybe some type of mutex lock could be applied as well to prevent that brief window where two requests can read the same DB value before writing back.

Hopefully this puts you onto something, but I really don't know enough to make a proper PR myself.

@ChristianKilmer commented on GitHub (Feb 21, 2026): Alright, so this is my uninformed opinion on a potential fix after looking at some of the codebase. I am not a professional, so please take this with a grain of salt. It looks like maybe you're treating the SSO refresh tokens as stateless? They're being pushed to clients using JWTs rather than remembering them on the server. When the OIDC provider rotates the token, concurrent client requests all carry the same token, and after the first one succeeds, the provider revokes that token, causing all subsequent concurrent requests to fail. I suspect that when multiple Bitwarden clients (web, desktop, mobile, etc.) see that a token is nearing expiry, they all request at the exact same time. You mentioning in an earlier comment that multiple calls to refresh_token can cause this issue combined with what I saw today so far is what put me down this rabbit hole, and I think that accurately reflects what is happening. My proposal would be adding something like an sso_refresh_token to the devices table of your db schema as a nullable (non-SSO users) text field. This way, the server always knows the current valid token. The existing refresh_token column is actually Vaultwarden's own device lookup token rather than the OIDC provider's token, which confused me initially (I could be wrong about this). This SSO refresh token could then be saved after a successful login. Perhaps in src/api/identity.rs, you could have an action where upon a successful token exchange, before the device is saved, something like `device.sso_refresh_token = sso_refresh_token.map(|t| t.to_string());` could be run to save the token server-side in the database. Now, the actual bug fix... This is where I think I somewhat fall apart, but I'll let you decide. Also in the src/api/identity.rs file, under the _refresh_login function... instead of unpacking the OIDC token from the client's JWT, read it from the new device.sso_refresh_token. After a successful exchange, save the new one back. I simply do not have know-how to write this out for myself in Rust, and don't want to throw vibe-code at you that I myself don't even understand. Because the server now stores the token in the db, even if multiple requests arrive simultaneously, the second one can detect that the first already updated the stored token. The server can either retry with the new token or return the cached result. The OIDC provider only should ever see one request with each token. And by storing the token server-side, you'd no longer depend on the client's JWT wrapper correctly preserving it. Even in the freak scenario that the JWT wrapping logic causes the OIDC token to get lost, the server's database copy can still be used. Just some gravy, but maybe some type of mutex lock could be applied as well to prevent that brief window where two requests can read the same DB value before writing back. Hopefully this puts you onto something, but I really don't know enough to make a proper PR myself.

kerem commented

Author

Owner

@controlaltnerd commented on GitHub (Feb 21, 2026):

That explanation helps make sense of some behavior I've been seeing lately that I couldn't explain, namely that the Bitwarden extension (Chrome/Brave) on my laptop consistently fails to stay logged in, while on my desktop it tends to stay logged in for a few days at a time. I thought for a while that the iOS app wasn't having any issues, but recently discovered it hadn't connected to the server in over a month. The logouts on my laptop always happen at the expiration of the refresh token, but I didn't make the connection to the successful refreshes happening on the desktop, and the iOS "logged in but not really" behavior helped to obfuscate that.

@controlaltnerd commented on GitHub (Feb 21, 2026): That explanation helps make sense of some behavior I've been seeing lately that I couldn't explain, namely that the Bitwarden extension (Chrome/Brave) on my laptop consistently fails to stay logged in, while on my desktop it tends to stay logged in for a few days at a time. I thought for a while that the iOS app wasn't having any issues, but recently discovered it hadn't connected to the server in over a month. The logouts on my laptop always happen at the expiration of the refresh token, but I didn't make the connection to the successful refreshes happening on the desktop, and the iOS "logged in but not really" behavior helped to obfuscate that.

kerem commented

Author

Owner

@Timshel commented on GitHub (Feb 21, 2026):

@ChristianKilmer

when multiple Bitwarden clients (web, desktop, mobile, etc.) see that a token is nearing expiry, they all request at the exact same time

I believe this is unlikely to be the cause of error. I have not tested it with Authentik, but multiple sessions should have different tokens each with a separate lifecycle which are unlikely to expire at the same time. And even if they were to expire at the same time they should be different, in Authentik admin you probably should be able to see the different user sessions somewhere (at least it's visible in Keycloak and each are separate and can be revoked independently).

As for your fix suggestion, storing the tokens in the server db was something I wanted to avoid since keeping them is a security risk.

Fixing the issue in the client should be simpler since they are the root of the issue (current fix I contributed is quite trivial).
Looking at the latest web-vault code I can't identify how the issue could arise. But unless running a really outdated web-vault the fix should be present :(.

A simpler fix server side would be to debounce the refresh_token call with a simple query cache, but I'm reluctant to do it since it would add state to the server which bring limitations (such as running multiple nodes, but unsure if it's done).

@Timshel commented on GitHub (Feb 21, 2026): @ChristianKilmer > when multiple Bitwarden clients (web, desktop, mobile, etc.) see that a token is nearing expiry, they all request at the exact same time I believe this is unlikely to be the cause of error. I have not tested it with Authentik, but multiple sessions should have different tokens each with a separate lifecycle which are unlikely to expire at the same time. And even if they were to expire at the same time they should be different, in Authentik admin you probably should be able to see the different user sessions somewhere (at least it's visible in Keycloak and each are separate and can be revoked independently). As for your fix suggestion, storing the tokens in the server db was something I wanted to avoid since keeping them is a security risk. Fixing the issue in the client should be simpler since they are the root of the issue (current fix I contributed is quite trivial). Looking at the latest web-vault code I can't identify how the issue could arise. But unless running a really outdated web-vault the fix should be present :(. A simpler fix server side would be to debounce the refresh_token call with a simple query cache, but I'm reluctant to do it since it would add state to the server which bring limitations (such as running multiple nodes, but unsure if it's done).

kerem commented

Author

Owner

@Timshel commented on GitHub (Feb 21, 2026):

@ChristianKilmer For your previous issue, SSO is now required, Login again should mean you have a non SSO session somewhere which refresh is rejected since SSO_ONLY is activated.

@Timshel commented on GitHub (Feb 21, 2026): @ChristianKilmer For your previous issue, `SSO is now required, Login again` should mean you have a non SSO session somewhere which refresh is rejected since `SSO_ONLY` is activated.

kerem commented

Author

Owner

@ChristianKilmer commented on GitHub (Feb 21, 2026):

@Timshel Ok I was finally able to reproduce the issue this morning. Here's the logs...

Vaultwarden:

[2026-02-21 16:05:11.824][reqwest::connect][DEBUG] starting new connection: https://authelia.mydomain.com/
[2026-02-21 16:05:11.825][hyper_util::client::legacy::connect::http][DEBUG] connecting to 10.0.0.30:443
[2026-02-21 16:05:11.825][hyper_util::client::legacy::connect::http][DEBUG] connected to 10.0.0.30:443
[2026-02-21 16:05:11.830][hyper_util::client::legacy::pool][DEBUG] pooling idle connection for ("https", authelia.mydomain.com)
[2026-02-21 16:05:11.830][hyper_util::client::legacy::pool][DEBUG] reuse idle connection for ("https", authelia.mydomain.com)
[2026-02-21 16:05:11.830][hyper_util::client::legacy::pool][DEBUG] pooling idle connection for ("https", authelia.mydomain.com)
[2026-02-21 16:05:11.830][hyper_util::client::legacy::pool][DEBUG] reuse idle connection for ("https", authelia.mydomain.com)
[2026-02-21 16:05:12.018][hyper_util::client::legacy::pool][DEBUG] pooling idle connection for ("https", authelia.mydomain.com)
[2026-02-21 16:05:12.018][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None })
[2026-02-21 16:05:12.018][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None })
[2026-02-21 16:05:12.018][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2026-02-21 16:05:13.618][vaultwarden::api::core::sends][DEBUG] Purging sends
[2026-02-21 16:05:14.570][request][INFO] POST /identity/connect/token
[2026-02-21 16:05:14.577][vaultwarden::auth][ERROR] SSO is now required, Login again
[2026-02-21 16:05:14.577][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: SSO is now required, Login again
[2026-02-21 16:05:14.577][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized

Authelia:

time="2026-02-21T16:05:12Z" level=error msg="Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. Token expired. Refresh Token expired at '2026-02-21 00:38:39 +0000 UTC'." method=POST path=/api/oidc/token remote_ip=10.89.0.1 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oauth2_token.go:25                OAuth2TokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:58 RegisterOpenIDConnectRoutes.NewHTTPToAutheliaHandlerAdaptor.func17\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:66                           RegisterOpenIDConnectRoutes.(*BridgeBuilder).Build.func2.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:105                         SecurityHeadersNoStore.func1\ngithub.com/valyala/fasthttp@v1.68.0/server.go:773                                           (*RequestCtx).UserValue\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30                          SecurityHeadersBase.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                            RegisterOpenIDConnectRoutes.(*CORSPolicy).Middleware.func18\ngithub.com/fasthttp/router@v1.5.4/router.go:441                                             (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14                      handlerMain.LogRequest.func30\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38                           RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.68.0/server.go:2465                                          (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.68.0/workerpool.go:225                                       (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.68.0/workerpool.go:197                                       (*workerPool).getCh.func1\nruntime/asm_amd64.s:1693                                                                    goexit"

@ChristianKilmer commented on GitHub (Feb 21, 2026): @Timshel Ok I was finally able to reproduce the issue this morning. Here's the logs... Vaultwarden: ``` [2026-02-21 16:05:11.824][reqwest::connect][DEBUG] starting new connection: https://authelia.mydomain.com/ [2026-02-21 16:05:11.825][hyper_util::client::legacy::connect::http][DEBUG] connecting to 10.0.0.30:443 [2026-02-21 16:05:11.825][hyper_util::client::legacy::connect::http][DEBUG] connected to 10.0.0.30:443 [2026-02-21 16:05:11.830][hyper_util::client::legacy::pool][DEBUG] pooling idle connection for ("https", authelia.mydomain.com) [2026-02-21 16:05:11.830][hyper_util::client::legacy::pool][DEBUG] reuse idle connection for ("https", authelia.mydomain.com) [2026-02-21 16:05:11.830][hyper_util::client::legacy::pool][DEBUG] pooling idle connection for ("https", authelia.mydomain.com) [2026-02-21 16:05:11.830][hyper_util::client::legacy::pool][DEBUG] reuse idle connection for ("https", authelia.mydomain.com) [2026-02-21 16:05:12.018][hyper_util::client::legacy::pool][DEBUG] pooling idle connection for ("https", authelia.mydomain.com) [2026-02-21 16:05:12.018][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None }) [2026-02-21 16:05:12.018][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None }) [2026-02-21 16:05:12.018][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2026-02-21 16:05:13.618][vaultwarden::api::core::sends][DEBUG] Purging sends [2026-02-21 16:05:14.570][request][INFO] POST /identity/connect/token [2026-02-21 16:05:14.577][vaultwarden::auth][ERROR] SSO is now required, Login again [2026-02-21 16:05:14.577][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: SSO is now required, Login again [2026-02-21 16:05:14.577][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized ``` Authelia: ``` time="2026-02-21T16:05:12Z" level=error msg="Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. Token expired. Refresh Token expired at '2026-02-21 00:38:39 +0000 UTC'." method=POST path=/api/oidc/token remote_ip=10.89.0.1 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oauth2_token.go:25 OAuth2TokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:58 RegisterOpenIDConnectRoutes.NewHTTPToAutheliaHandlerAdaptor.func17\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:66 RegisterOpenIDConnectRoutes.(*BridgeBuilder).Build.func2.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:105 SecurityHeadersNoStore.func1\ngithub.com/valyala/fasthttp@v1.68.0/server.go:773 (*RequestCtx).UserValue\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30 SecurityHeadersBase.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216 RegisterOpenIDConnectRoutes.(*CORSPolicy).Middleware.func18\ngithub.com/fasthttp/router@v1.5.4/router.go:441 (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 handlerMain.LogRequest.func30\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38 RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.68.0/server.go:2465 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.68.0/workerpool.go:225 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.68.0/workerpool.go:197 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1693 goexit" ```

kerem commented

Author

Owner

@Timshel commented on GitHub (Feb 21, 2026):

@ChristianKilmer Authelia logs mention the refresh token is expired since 2026-02-21 00:38:39 you probably need to extend their validity.
You can have a short access token lifetime to force a refresh each time there is some activity but if your refresh token has a short lifetime too then the application won't be able to refresh if you are idle too long.

@Timshel commented on GitHub (Feb 21, 2026): @ChristianKilmer Authelia logs mention the refresh token is expired since `2026-02-21 00:38:39` you probably need to extend their validity. You can have a short access token lifetime to force a refresh each time there is some activity but if your refresh token has a short lifetime too then the application won't be able to refresh if you are idle too long.

kerem commented

Author

Owner

@rharish101 commented on GitHub (Feb 22, 2026):

Yes indeed. I have to relogin with Authelia. I also waited for the 5 minute timeout that I set in the extension's settings. When it's just supposed to lock the vault, it actually ends up logging me out altogether.

I uninstalled my browser extension on Firefox (Linux) desktop and reinstalled it, and this issue is now gone! So using Authelia only for auth (using SSO_AUTH_ONLY_NOT_SESSION=true) works for me (so far).

@rharish101 commented on GitHub (Feb 22, 2026): > Yes indeed. I have to relogin with Authelia. I also waited for the 5 minute timeout that I set in the extension's settings. When it's just supposed to lock the vault, it actually ends up logging me out altogether. I uninstalled my browser extension on Firefox (Linux) desktop and reinstalled it, and this issue is now gone! So using Authelia only for auth (using `SSO_AUTH_ONLY_NOT_SESSION=true`) works for me (so far).

kerem commented