Update sso.rs - sso(authentik): always adopt rotated provider refresh token to prevent invalid_grant

Ensures Vaultwarden immediately switches to the IdP’s latest provider refresh token after each refresh, preventing reuse of a revoked token and eliminating `invalid_grant` errors that prematurely log users out.
3 days ago · efa54a419b
1 changed files with 2 additions and 2 deletions
--- a/src/sso.rs
+++ b/src/sso.rs
@ -424,13 +424,13 @@ pub async fn exchange_refresh_token(
        Some(TokenWrapper::Refresh(refresh_token)) => {
            // Use new refresh_token if returned
            let (new_refresh_token, access_token, expires_in) =
-                Client::exchange_refresh_token(refresh_token.clone()).await?;
+                Client::exchange_refresh_token(refresh_token).await?;

            create_auth_tokens(
                device,
                user,
                client_id,
-                new_refresh_token.or(Some(refresh_token)),
+                new_refresh_token,
                access_token,
                expires_in,
            )