github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-05-23 08:32:45 -05:00
Code Issues 307 Packages Projects Releases 83 Wiki Activity

[GH-ISSUE #6465] Authentik session time limited to access token lifetime #11254

New Issue
Closed
opened 2026-04-20 14:48:21 -05:00 by GiteaMirror · 2 comments
GiteaMirror commented 2026-04-20 14:48:21 -05:00
Owner
Copy Link

Originally created by @controlaltnerd on GitHub (Nov 13, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6465

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.34.3-2ee40d61
  • Web-vault version: v2025.10.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.50.2
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN, SSO_ENABLED, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_AUTH_ONLY_NOT_SESSION

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********************",
  "domain_origin": "*****://**********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": false,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "CK Cloud Services",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": false,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "******************************",
  "smtp_from_name": "***********",
  "smtp_host": "***********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "******************************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://*************************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://***************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "****************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3-2ee40d61

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

traefik 2.11

Host/Server Operating System

Linux

Operating System Version

Ubuntu 22.04.1

Clients

Web Vault, Browser Extension

Client Version

Chrome, Brave - v2025.10.1

Steps To Reproduce

  1. Set access token expiration to 10-20 minutes for ease of reproduction
  2. Set refresh token to a much longer time, say 30 days
  3. Sign in to Vaultwarden instance with Authentik SSO
  4. Wait for the length of time equivalent to the access token's expiration

Expected Result

Nothing should happen, and vault access should continue to be allowed (may require re-entering master password depending on whether testing via web or browser extension, and based on Vaultwarden config)

Actual Result

Session expires and SSO login is required again. Logs are generated stating that the access token is close to expiration but we have no refresh token, while at the same time I can observe the refresh token in the browser and am able to verify with a JWT inspector that its contents are valid and not the same as that of the access token (as I've seen other issues note can happen).

In my testing I've set access tokens to 10 minutes for expiration, to comply with the documentation indicating that 5 minutes is problematic. Refresh tokens are set to 30-day expiration.

I've also tested with SSO_AUTH_ONLY_NOT_SESSION set to both true and false, and it has no impact on the result. My best guess at the moment is that somehow the access token is being used in place of the refresh token. This seems similar to #6311 but different enough to warrant a new issue.

Logs

[2025-11-13 02:30:33.595][request][INFO] POST /identity/connect/token
[2025-11-13 02:30:33.596][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Access token is close to expiration but we have no refresh token
[2025-11-13 02:30:33.596][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-11-13 02:30:33.702][vaultwarden::api::notifications][INFO] Closing WS connection from XXX.XXX.XXX.XXX
[2025-11-13 02:30:34.004][request][INFO] GET /api/devices/knowndevice
[2025-11-13 02:30:34.005][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK

Screenshots or Videos

Screenshot showing refresh token exists at the time a session expires:
Image

Additional Context

No response

Originally created by @controlaltnerd on GitHub (Nov 13, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6465 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-2ee40d61 * Web-vault version: v2025.10.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN, SSO_ENABLED, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_AUTH_ONLY_NOT_SESSION **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**********************", "domain_origin": "*****://**********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": false, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "CK Cloud Services", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": false, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "******************************", "smtp_from_name": "***********", "smtp_host": "***********************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "******************************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://*************************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://***************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "****************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.34.3-2ee40d61 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy traefik 2.11 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 22.04.1 ### Clients Web Vault, Browser Extension ### Client Version Chrome, Brave - v2025.10.1 ### Steps To Reproduce 1. Set access token expiration to 10-20 minutes for ease of reproduction 2. Set refresh token to a much longer time, say 30 days 3. Sign in to Vaultwarden instance with Authentik SSO 4. Wait for the length of time equivalent to the access token's expiration ### Expected Result Nothing should happen, and vault access should continue to be allowed (may require re-entering master password depending on whether testing via web or browser extension, and based on Vaultwarden config) ### Actual Result Session expires and SSO login is required again. Logs are generated stating that the `access token is close to expiration but we have no refresh token`, while at the same time I can observe the refresh token in the browser and am able to verify with a JWT inspector that its contents are valid and not the same as that of the access token (as I've seen other issues note can happen). In my testing I've set access tokens to 10 minutes for expiration, to comply with the documentation indicating that 5 minutes is problematic. Refresh tokens are set to 30-day expiration. I've also tested with `SSO_AUTH_ONLY_NOT_SESSION` set to both true and false, and it has no impact on the result. My best guess at the moment is that somehow the access token is being used in place of the refresh token. This seems similar to #6311 but different enough to warrant a new issue. ### Logs ```text [2025-11-13 02:30:33.595][request][INFO] POST /identity/connect/token [2025-11-13 02:30:33.596][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Access token is close to expiration but we have no refresh token [2025-11-13 02:30:33.596][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-11-13 02:30:33.702][vaultwarden::api::notifications][INFO] Closing WS connection from XXX.XXX.XXX.XXX [2025-11-13 02:30:34.004][request][INFO] GET /api/devices/knowndevice [2025-11-13 02:30:34.005][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK ``` ### Screenshots or Videos Screenshot showing refresh token exists at the time a session expires: <img width="1011" height="281" alt="Image" src="https://github.com/user-attachments/assets/2382e513-51aa-4561-a17b-5e77758d2d3c" /> ### Additional Context _No response_
GiteaMirror added the bug label 2026-04-20 14:48:21 -05:00
GiteaMirror commented 2026-04-20 14:48:25 -05:00
Author
Owner
Copy Link

@Tyris commented on GitHub (Nov 25, 2025):

I was having this exact same issue, but after reviewing documentation, I think this was a configuration issue on my end.

Per https://integrations.goauthentik.io/security/vaultwarden/ (and https://integrations.goauthentik.io/security/vaultwarden/ ):

Starting with 2024.2 version you will need to add the offline_access scope and ensure it's selected in Applications / Providers / Edit / Advanced protocol settings / Scopes (Doc).

Adding the offline_access seems to have resolved this - (will keep testing, but looks good so far).

<!-- gh-comment-id:3573643371 --> @Tyris commented on GitHub (Nov 25, 2025): I was having this exact same issue, but after reviewing documentation, I think this was a configuration issue on my end. Per https://integrations.goauthentik.io/security/vaultwarden/ (and https://integrations.goauthentik.io/security/vaultwarden/ ): > Starting with 2024.2 version you will need to add the offline_access scope and ensure it's selected in Applications / Providers / Edit / Advanced protocol settings / Scopes ([Doc](https://docs.goauthentik.io/docs/providers/oauth2/#authorization_code)). Adding the offline_access seems to have resolved this - (will keep testing, but looks good so far).
GiteaMirror commented 2026-04-20 14:48:27 -05:00
Author
Owner
Copy Link

@controlaltnerd commented on GitHub (Nov 25, 2025):

@Tyris thanks, this seems to have fixed the issue with Vaultwarden thinking it doesn't have a refresh token. But then I got another error when it was time to refresh:

Failed to decode {IP_ADDRESS} refresh_token: ...
Unable to refresh login credentials: Impossible to read refresh_token: Token has expired

Turned out that I also needed to add offline_access to SSO_SCOPES so that Vaultwarden would request the token correctly. After that, I was able to confirm that refreshing works successfully on multiple devices.

Also, I was wrong in my previous assessment of the refresh token. If offline_access isn't added to both Authentik and SSO_SCOPES, Authentik will return the access token wrapped in JSON that makes it look like a refresh token, but notably it will have an access key instead of a refresh key, with the value equal to that of the access token. I missed that the first time.

Side note, logging could probably use some tweaking here, as successful refreshes are accompanied by logs such as:

[vaultwarden::auth][ERROR] SSO is now required, Login again
[vaultwarden::api::identity][ERROR] Unable to refresh login credentials: SSO is now required, Login again

which are confusing/distracting when looking for something indicating a successful refresh.

<!-- gh-comment-id:3576620942 --> @controlaltnerd commented on GitHub (Nov 25, 2025): @Tyris thanks, this seems to have fixed the issue with Vaultwarden thinking it doesn't have a refresh token. But then I got another error when it was time to refresh: `Failed to decode {IP_ADDRESS} refresh_token: ...` `Unable to refresh login credentials: Impossible to read refresh_token: Token has expired` Turned out that I also needed to add `offline_access` to `SSO_SCOPES` so that Vaultwarden would request the token correctly. After that, I was able to confirm that refreshing works successfully on multiple devices. Also, I was wrong in my previous assessment of the refresh token. If `offline_access` isn't added to both Authentik and `SSO_SCOPES`, Authentik will return the access token wrapped in JSON that makes it look like a refresh token, but notably it will have an `access` key instead of a `refresh` key, with the value equal to that of the access token. I missed that the first time. Side note, logging could probably use some tweaking here, as successful refreshes are accompanied by logs such as: ``` [vaultwarden::auth][ERROR] SSO is now required, Login again [vaultwarden::api::identity][ERROR] Unable to refresh login credentials: SSO is now required, Login again ``` which are confusing/distracting when looking for something indicating a successful refresh.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#11254
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?