Browse Source

Update sso.rs - sso(authentik): always adopt rotated provider refresh token to prevent invalid_grant

Ensures Vaultwarden immediately switches to the IdP’s latest provider refresh token after each refresh, preventing reuse of a revoked token and eliminating `invalid_grant` errors that prematurely log users out.
pull/6360/head
Alex Smith 3 days ago
committed by GitHub
parent
commit
efa54a419b
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
  1. 4
      src/sso.rs

4
src/sso.rs

@ -424,13 +424,13 @@ pub async fn exchange_refresh_token(
Some(TokenWrapper::Refresh(refresh_token)) => {
// Use new refresh_token if returned
let (new_refresh_token, access_token, expires_in) =
Client::exchange_refresh_token(refresh_token.clone()).await?;
Client::exchange_refresh_token(refresh_token).await?;
create_auth_tokens(
device,
user,
client_id,
new_refresh_token.or(Some(refresh_token)),
new_refresh_token,
access_token,
expires_in,
)

Loading…
Cancel
Save