[GH-ISSUE #7060] Clients not asked to re-authenticate with expired refresh_token #11413

Closed
opened 2026-04-20 15:01:31 -05:00 by GiteaMirror · 0 comments
Owner

Originally created by @tycho on GitHub (Apr 6, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7060

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.35.4
  • Web-vault version: v2026.2.0p0
  • OS/Arch: linux/x86_64
  • Running within a container: false (Base: Not applicable)
  • Database type: MySQL
  • Database version: 12.2.2-MariaDB
  • Uses config.json: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "*****://********************",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/var/lib/vaultwarden/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "/var/lib/vaultwarden",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "*****://********************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://************************",
  "domain_origin": "*****://************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": "api-a6b42b78.duosecurity.com",
  "duo_ikey": "DIURQA79LG78Q0WZ8BZJ",
  "duo_skey": "***",
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "inline-menu-positioning-improvements,inline-menu-totp,ssh-agent,ssh-key-vault-item,export-attachments,anon-addy-self-host-alias,simple-login-self-host-alias,mutual-tls",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/var/lib/vaultwarden/icon_cache",
  "icon_cache_negttl": 1209600,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/var/lib/vaultwarden/bitwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/var/lib/vaultwarden/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "/var/lib/vaultwarden/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 3,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "**********************",
  "smtp_from_name": "*********",
  "smtp_host": "**********************************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "********************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://*****************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "/var/lib/vaultwarden/data/templates",
  "tmp_folder": "/var/lib/vaultwarden/data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "/usr/share/webapps/vaultwarden-web",
  "yubico_client_id": "29752",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Vaultwarden Build Version

1.35.4-1 (Arch Linux package)

Deployment method

OS Package (apt, yum/dnf, pacman, apk, nix, ...)

Custom deployment method

No response

Reverse Proxy

nginx 1.29.7

Host/Server Operating System

Linux

Operating System Version

Arch Linux, 6.18.20

Clients

Desktop, Browser Extension

Client Version

2026.2.0

Steps To Reproduce

  1. Log in on a client (desktop, browser extension, etc)
  2. Force session to expire, or naturally let it expire (due to timeout)
  3. Attempt to sync vault on client, or attempt to edit vault contents on client

Expected Result

I would expect the client to recognize that the session is no longer valid and prompt for re-authentication.

Actual Result

The client does not recognize that a re-authentication is necessary.
The client silently stops syncing the vault with the server. Explicit refresh attempts yield cryptic error messages.
The client fails to write to vault entries, giving cryptic error messages.

All of the above end up confusing end users, who can't tell when their session is still valid because the client doesn't give them a clear indication that their session validity has expired.

Logs

[2026-04-06 16:03:33.987][request][INFO] POST /identity/connect/token
[2026-04-06 16:03:33.988][vaultwarden::auth][ERROR] Token has expired
[2026-04-06 16:03:33.988][vaultwarden::auth][ERROR] Failed to decode <redacted> refresh_token: <redacted>: Token has expired
[2026-04-06 16:03:33.988][vaultwarden::auth][ERROR] Invalid refresh token
[2026-04-06 16:03:33.988][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Invalid refresh token
[2026-04-06 16:03:33.988][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2026-04-06 16:03:56.330][request][INFO] GET /api/accounts/profile
[2026-04-06 16:03:56.330][request][INFO] GET /api/config
[2026-04-06 16:03:56.330][request][INFO] GET /api/accounts/profile
[2026-04-06 16:03:56.330][response][INFO] (config) GET /api/config => 200 OK
[2026-04-06 16:03:56.331][response][INFO] (profile) GET /api/accounts/profile => 200 OK
[2026-04-06 16:03:56.331][response][INFO] (profile) GET /api/accounts/profile => 200 OK
[2026-04-06 16:04:17.378][request][INFO] POST /identity/connect/token
[2026-04-06 16:04:17.378][vaultwarden::auth][ERROR] Token has expired
[2026-04-06 16:04:17.378][vaultwarden::auth][ERROR] Failed to decode <redacted> refresh_token: <redacted>: Token has expired
[2026-04-06 16:04:17.378][vaultwarden::auth][ERROR] Invalid refresh token
[2026-04-06 16:04:17.378][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Invalid refresh token
[2026-04-06 16:04:17.378][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2026-04-06 16:04:27.902][request][INFO] POST /identity/connect/token
[2026-04-06 16:04:27.903][vaultwarden::auth][ERROR] Token has expired

Screenshots or Videos

No response

Additional Context

It seems possible that the re-authorization workflow is being handled incorrectly somehow:

69f9c7d30d/libs/common/src/services/api.service.spec.ts (L453)

Clients expect "invalid_grant" in the response for expired tokens, which may be what's missing:

69f9c7d30d/libs/common/src/services/api.service.ts (L1786-L1797)

Originally created by @tycho on GitHub (Apr 6, 2026). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7060 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.4 * Web-vault version: v2026.2.0p0 * OS/Arch: linux/x86_64 * Running within a container: false (Base: Not applicable) * Database type: MySQL * Database version: 12.2.2-MariaDB * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "*****://********************", "allowed_iframe_ancestors": "", "attachments_folder": "/var/lib/vaultwarden/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "/var/lib/vaultwarden", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "*****://********************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://************************", "domain_origin": "*****://************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": "api-a6b42b78.duosecurity.com", "duo_ikey": "DIURQA79LG78Q0WZ8BZJ", "duo_skey": "***", "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "inline-menu-positioning-improvements,inline-menu-totp,ssh-agent,ssh-key-vault-item,export-attachments,anon-addy-self-host-alias,simple-login-self-host-alias,mutual-tls", "extended_logging": true, "helo_name": null, "hibp_api_key": "***", "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "/var/lib/vaultwarden/icon_cache", "icon_cache_negttl": 1209600, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/var/lib/vaultwarden/bitwarden.log", "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "/var/lib/vaultwarden/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "/var/lib/vaultwarden/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 3, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "**********************", "smtp_from_name": "*********", "smtp_host": "**********************************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "********************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*****************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": false, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "/var/lib/vaultwarden/data/templates", "tmp_folder": "/var/lib/vaultwarden/data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "/usr/share/webapps/vaultwarden-web", "yubico_client_id": "29752", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.35.4-1 (Arch Linux package) ### Deployment method OS Package (apt, yum/dnf, pacman, apk, nix, ...) ### Custom deployment method _No response_ ### Reverse Proxy nginx 1.29.7 ### Host/Server Operating System Linux ### Operating System Version Arch Linux, 6.18.20 ### Clients Desktop, Browser Extension ### Client Version 2026.2.0 ### Steps To Reproduce 1. Log in on a client (desktop, browser extension, etc) 2. Force session to expire, or naturally let it expire (due to timeout) 3. Attempt to sync vault on client, or attempt to edit vault contents on client ### Expected Result I would expect the client to recognize that the session is no longer valid and prompt for re-authentication. ### Actual Result The client does not recognize that a re-authentication is necessary. The client silently stops syncing the vault with the server. Explicit refresh attempts yield cryptic error messages. The client fails to write to vault entries, giving cryptic error messages. All of the above end up confusing end users, who can't tell when their session is still valid because the client doesn't give them a clear indication that their session validity has expired. ### Logs ```text [2026-04-06 16:03:33.987][request][INFO] POST /identity/connect/token [2026-04-06 16:03:33.988][vaultwarden::auth][ERROR] Token has expired [2026-04-06 16:03:33.988][vaultwarden::auth][ERROR] Failed to decode <redacted> refresh_token: <redacted>: Token has expired [2026-04-06 16:03:33.988][vaultwarden::auth][ERROR] Invalid refresh token [2026-04-06 16:03:33.988][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Invalid refresh token [2026-04-06 16:03:33.988][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2026-04-06 16:03:56.330][request][INFO] GET /api/accounts/profile [2026-04-06 16:03:56.330][request][INFO] GET /api/config [2026-04-06 16:03:56.330][request][INFO] GET /api/accounts/profile [2026-04-06 16:03:56.330][response][INFO] (config) GET /api/config => 200 OK [2026-04-06 16:03:56.331][response][INFO] (profile) GET /api/accounts/profile => 200 OK [2026-04-06 16:03:56.331][response][INFO] (profile) GET /api/accounts/profile => 200 OK [2026-04-06 16:04:17.378][request][INFO] POST /identity/connect/token [2026-04-06 16:04:17.378][vaultwarden::auth][ERROR] Token has expired [2026-04-06 16:04:17.378][vaultwarden::auth][ERROR] Failed to decode <redacted> refresh_token: <redacted>: Token has expired [2026-04-06 16:04:17.378][vaultwarden::auth][ERROR] Invalid refresh token [2026-04-06 16:04:17.378][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Invalid refresh token [2026-04-06 16:04:17.378][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2026-04-06 16:04:27.902][request][INFO] POST /identity/connect/token [2026-04-06 16:04:27.903][vaultwarden::auth][ERROR] Token has expired ``` ### Screenshots or Videos _No response_ ### Additional Context It seems possible that the re-authorization workflow is being handled incorrectly somehow: https://github.com/bitwarden/clients/blob/69f9c7d30dd4e013101667ac7f79f0e68e6bd122/libs/common/src/services/api.service.spec.ts#L453 Clients expect "invalid_grant" in the response for expired tokens, which may be what's missing: https://github.com/bitwarden/clients/blob/69f9c7d30dd4e013101667ac7f79f0e68e6bd122/libs/common/src/services/api.service.ts#L1786-L1797
GiteaMirror added the bug label 2026-04-20 15:01:31 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#11413