Problems with authentik and vaultwarden sso (Request to exchange_refresh_token endpoint failed)

[dasbenjo]

Vaultwarden Docker file

authentik hosted on the same machine

services:
  vaultwarden:
    image: timshel/vaultwarden:latest
    container_name: vaultwarden
    restart: always
    environment:
      - DOMAIN=https://vaultwarden.domain.name  # required when using a reverse proxy; your domain; vaultwarden needs to know it's https to work properly with attachments
      - SIGNUPS_ALLOWED=false # Deactivate this with "false" after you have created your account so that no strangers can register
      - PUSH_ENABLED=true
      - PUSH_INSTALLATION_ID=redacted
      - PUSH_INSTALLATION_KEY=redacted
      - PUSH_RELAY_URI=https://api.bitwarden.eu
      - PUSH_IDENTITY_URI=https://identity.bitwarden.eu
        # Settings
      - SENDS_ALLOWED=false
      - ORG_ATTACHMENT_LIMIT=5000
      - USER_ATTACHMENT_LIMIT=3000
      - INVITATION_ORG_NAME=NAME
      - EMAIL_CHANGE_ALLOWED=false
      - TEMPLATES_FOLDER=data/templates
        # Email Setup
      - SMTP_HOST=mail.domain.name
      - [email protected]
      - SMTP_FROM_NAME=NAME
      - SMTP_PORT=465
      - SMTP_SECURITY=force_tls
      - [email protected]
      - SMTP_PASSWORD=PASSWORD
        # Log Level, standard is info
      - LOG_LEVEL=warn
      - EXTENDED_LOGGING=true
        # SSO Settings
      - SSO_ENABLED=true
      - SSO_ONLY=true
      - SSO_FRONTEND=override
      - SSO_CLIENT_ID=redacted
      - SSO_CLIENT_SECRET=redacted
      - SSO_AUTHORITY=https://authentik.domain.name/application/o/vault/
      - SSO_SCOPES=email profile openid offline_access
      - SSO_PKCE=true
    volumes:
      - ./vw-data:/data # the path before the : can be changed
    ports:
      - 11001:80 # you can replace the 11001 with your preferred port

Steps To Reproduce

start and run container with docker compose

Expected Result

a stable connection with browser extensions and apps

Actual Result

I can login, and use all apps and the browser extension, but I am logged out after a random time (there is no pattern, but the session lasts only 1-2 days maximum)

Screenshots or Videos

oidc provider config in authentik

Logs

[2024-08-27 21:29:11.724][request][INFO] GET /alive
[2024-08-27 21:29:11.725][response][INFO] (alive) GET /alive => 200 OK
[2024-08-27 21:29:17.352][request][INFO] POST /identity/connect/token
[2024-08-27 21:29:17.408][reqwest::connect][DEBUG] starting new connection: https://authentik.domain.name/
[2024-08-27 21:29:17.953][request][INFO] POST /identity/connect/token
[2024-08-27 21:29:17.962][reqwest::connect][DEBUG] starting new connection: https://authentik.domain.name/
[2024-08-27 21:29:17.986][reqwest::connect][DEBUG] starting new connection: https://authentik.domain.name/
[2024-08-27 21:29:18.518][reqwest::connect][DEBUG] starting new connection: https://authentik.domain.name/
[2024-08-27 21:29:18.559][reqwest::connect][DEBUG] starting new connection: https://authentik.domain.name/
[2024-08-27 21:29:19.090][vaultwarden::sso][DEBUG] Non jwt refresh_token (expiration set to 1727386159)
[2024-08-27 21:29:19.093][response][INFO] (login) POST /identity/connect/token => 200 OK
[2024-08-27 21:29:19.100][reqwest::connect][DEBUG] starting new connection: https://authentik.domain.name/
[2024-08-27 21:29:19.202][vaultwarden::sso][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2024-08-27 21:29:19.202][vaultwarden::api::identity][ERROR] {"error":"","errorModel":{"message":"Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some(\"The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\"), error_uri: None })","object":"error"},"error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"message":"Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some(\"The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\"), error_uri: None })","object":"error","validationErrors":{"":["Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some(\"The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\"), error_uri: None })"]}}
[2024-08-27 21:29:19.203][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2024-08-27 21:29:19.402][request][INFO] POST /identity/connect/token
[2024-08-27 21:29:19.434][reqwest::connect][DEBUG] starting new connection: https://authentik.domain.name/
[2024-08-27 21:29:19.997][reqwest::connect][DEBUG] starting new connection: https://authentik.domain.name/
[2024-08-27 21:29:20.146][request][INFO] GET /api/config/
[2024-08-27 21:29:20.146][response][INFO] (config) GET /api/config => 200 OK
[2024-08-27 21:29:20.525][reqwest::connect][DEBUG] starting new connection: https://authentik.domain.name/
[2024-08-27 21:29:20.539][request][INFO] GET /api/config/
[2024-08-27 21:29:20.539][response][INFO] (config) GET /api/config => 200 OK
[2024-08-27 21:29:20.624][vaultwarden::sso][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"), error_uri: None })
[2024-08-27 21:29:20.625][vaultwarden::api::identity][ERROR] {"error":"","errorModel":{"message":"Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some(\"The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\"), error_uri: None })","object":"error"},"error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"message":"Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some(\"The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\"), error_uri: None })","object":"error","validationErrors":{"":["Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some(\"The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\"), error_uri: None })"]}}
[2024-08-27 21:29:20.625][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2024-08-27 21:29:20.898][request][INFO] GET /api/config/
[2024-08-27 21:29:20.898][response][INFO] (config) GET /api/config => 200 OK

Additional Context

No response

Host/Server Operating System

Linux

Operating System Version

Ubuntu 20.04

Deployment method

Official Container Image

Custom deployment method

No response

Vaultwarden Build Version

1.32.0-2

Clients

Browser Extension, Android

Client Version

2024.8.0

[Timshel]

Erf look like a case of the client sending two request to refresh the token at the same time :( :

[2024-08-27 21:29:17.352][request][INFO] POST /identity/connect/token
[2024-08-27 21:29:17.953][request][INFO] POST /identity/connect/token
[2024-08-27 21:29:19.093][response][INFO] (login) POST /identity/connect/token => 200 OK
[2024-08-27 21:29:19.203][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized

The first one is going through ok but the second one fail since the token has already been exchanged once :(.

Had to revert some code which invalidated the refresh token for the default Vaultwarden session handling.

Will look again at the client, but outside the web-vault, I can't distribute a fix so would have to wait for a PR to be merged (which can take quite a bit of time if it's even accepted).

In the meantime unless there is some setting that could allow Authentik to accept the refresh_token a second time for a short period of time only solution I can propose is to activate: SSO_AUTH_ONLY_NOT_SESSION which will fallback to use the default Vaultwarden session (refresh_token will have a 30days expiration idle time).

[dasbenjo]

thank you for your quick and detailed answer (and thank you for all the work on oicd and vaultwarden!)

Sadly there is no config in authentik to accept the refresh token a second time, but thanks for tip with SSO_AUTH_ONLY_NOT_SESSION, that's a good workaround 💪

[Timshel]

Had a look at the Bitwarden client code and implemented what I had in mind to prevent parallel calls.

We will see how the PR bitwarden/clients#10799 goes :)

[dasbenjo]

wow, that was fast! Fingers crossed that it will be accepted quickly 🤞💪