[PR #6360] [CLOSED] Authentik refresh - Fixes #6311 #8702

New Issue

GiteaMirror · 2026-04-16T12:33:54-05:00

GiteaMirror commented

2026-04-16 12:33:54 -05:00

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6360
Author: @Ajsmith1435
Created: 10/14/2025
Status: ❌ Closed

Base: main ← Head: authentik-refresh

📝 Commits (2)

e16a242 sso(authentik): always surface current provider refresh token from exchange
efa54a4 Update sso.rs - sso(authentik): always adopt rotated provider refresh token to prevent invalid_grant

📊 Changes

2 files changed (+15 additions, -7 deletions)

View changed files

📝 src/sso.rs (+2 -2)
📝 src/sso_client.rs (+13 -5)

📄 Description

Fix SSO refresh with Authentik by always adopting the IdP’s rotated refresh token, preventing invalid_grant and premature re-login.

Changes
src/sso_client.rs: exchange_refresh_token always returns Some(current_refresh_token) (rotated if provided, else the one just used).
src/sso.rs: remove fallback to old token; pass the returned token directly to create_auth_tokens.

Why?
Authentik revokes the old refresh token on rotation; reusing it triggers invalid_grant. See

Testing
SSO with Authentik → let access token expire → refresh repeatedly. Expect no invalid_grant; rotated token adopted each cycle.

Refs
Fixes #6311

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6360 **Author:** [@Ajsmith1435](https://github.com/Ajsmith1435) **Created:** 10/14/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `authentik-refresh` --- ### 📝 Commits (2) - [`e16a242`](https://github.com/dani-garcia/vaultwarden/commit/e16a24233c05d932efd57c83d1e0b1ab64859f7d) sso(authentik): always surface current provider refresh token from exchange - [`efa54a4`](https://github.com/dani-garcia/vaultwarden/commit/efa54a419bb6fc6b3d6cea557a4a208101202e62) Update sso.rs - sso(authentik): always adopt rotated provider refresh token to prevent invalid_grant ### 📊 Changes **2 files changed** (+15 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `src/sso.rs` (+2 -2) 📝 `src/sso_client.rs` (+13 -5) </details> ### 📄 Description Fix SSO refresh with Authentik by always adopting the IdP’s rotated refresh token, preventing invalid_grant and premature re-login. **Changes** src/sso_client.rs: exchange_refresh_token always returns Some(current_refresh_token) (rotated if provided, else the one just used). src/sso.rs: remove fallback to old token; pass the returned token directly to create_auth_tokens. Why? Authentik revokes the old refresh token on rotation; reusing it triggers invalid_grant. See Testing SSO with Authentik → let access token expire → refresh repeatedly. Expect no invalid_grant; rotated token adopted each cycle. Refs Fixes #6311 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-16 12:33:54 -05:00

GiteaMirror closed this issue

2026-04-16 12:33:55 -05:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#8702