[PR #6866] Add 30s cache to SSO exchange_refresh_token #3862

New issue

Open

opened 2026-03-03 10:38:10 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 10:38:10 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6866
Author: @Timshel
Created: 2/23/2026
Status: 🔄 Open

Base: main ← Head: fix/refresh_token

📝 Commits (1)

5b8fbd7 Add 30s cache to SSO exchange_refresh_token

📊 Changes

3 files changed (+37 additions, -138 deletions)

View changed files

📝 Cargo.lock (+6 -119)
📝 Cargo.toml (+1 -1)
📝 src/sso_client.rs (+30 -18)

📄 Description

This add a cache to the refresh_token endpoint to prevent calling a provider twice with the same token (some providers prevent reuse).

I contributed a patch to the clients to prevent the issue https://github.com/bitwarden/clients/pull/10799.
But it appears some users still have issues: Ex: https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3775829084.

Looking at the client code I couldn't identify how to reproduce the issue :(.
But at the same time the fix is relatively trivial, so I believe it's worth to integrate it (Only issue I could see is it'won't work in multinode setup unless some affinity is set at the loadbalancer).

Switched to Moka to be able to use get_with.
Did not change the current CLIENT_CACHE since it's not an issue if two clients are instantiated and ApiResult is not Cloneable so it would be kind of a pain to replace.

The capacity is a bit random just though it was better not to let it unbounded and the 30s should be way enough to handle any concurrent calls without keeping it around too long which would negate the utility of rolling tokens.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6866 **Author:** [@Timshel](https://github.com/Timshel) **Created:** 2/23/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `fix/refresh_token` --- ### 📝 Commits (1) - [`5b8fbd7`](https://github.com/dani-garcia/vaultwarden/commit/5b8fbd730aa61ca65ce02fb43dce8158b62264ee) Add 30s cache to SSO exchange_refresh_token ### 📊 Changes **3 files changed** (+37 additions, -138 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+6 -119) 📝 `Cargo.toml` (+1 -1) 📝 `src/sso_client.rs` (+30 -18) </details> ### 📄 Description This add a cache to the `refresh_token` endpoint to prevent calling a provider twice with the same token (some providers prevent reuse). I contributed a patch to the clients to prevent the issue https://github.com/bitwarden/clients/pull/10799. But it appears some users still have issues: Ex: https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3775829084. Looking at the client code I couldn't identify how to reproduce the issue :(. But at the same time the fix is relatively trivial, so I believe it's worth to integrate it (Only issue I could see is it'won't work in multinode setup unless some affinity is set at the loadbalancer). Switched to `Moka` to be able to use `get_with`. Did not change the current `CLIENT_CACHE` since it's not an issue if two clients are instantiated and `ApiResult` is not Cloneable so it would be kind of a pain to replace. The capacity is a bit random just though it was better not to let it unbounded and the 30s should be way enough to handle any concurrent calls without keeping it around too long which would negate the utility of rolling tokens. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>