Hello,
I’m running Vaultwarden in a container using SSO with my Authelia backend and I’ve noticed that when the refresh token is expired, the client session is not closed. I only noticed that sync was not happening because I missed some entry recently created.
For context, my Authelia refresh token is configured with a lifetime of 1 week. When using the Firefox plugin on a computer that has been offline for more than that, I get these messages in Vaultwarden:
Mar 09 07:38:27 vaultwarden[1107488]: [2026-03-09 06:38:27.745][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None })
Mar 09 07:38:27 vaultwarden[1107488]: [2026-03-09 06:38:27.745][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None })
Mar 09 07:38:27 vaultwarden[1107488]: [2026-03-09 06:38:27.745][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
Mar 09 07:38:27 vaultwarden[1107488]: [2026-03-09 06:38:27.776][request][INFO] POST /identity/connect/token
However the client session is not closed. If click on sync manually, the sync fails. I have to explicitly close the session in the client and login again to fix the issue.
The env vars I use in Vaultwarden are:
ROCKET_PORT=8080
SIGNUPS_ALLOWED=false
INVITATIONS_ALLOWED=false
ADMIN_TOKEN=REDACTED
DOMAIN=https://vault.apps.example.com
PUSH_ENABLED=true
PUSH_INSTALLATION_ID=REDACTED
PUSH_INSTALLATION_KEY=REDACTED
PUSH_RELAY_URI=https://api.bitwarden.eu
PUSH_IDENTITY_URI=https://identity.bitwarden.eu
SMTP_HOST=REDACTED
SMTP_FROM=REDACTED
SMTP_PORT=465
SMTP_SECURITY=force_tls
SMTP_USERNAME=REDACTED
SMTP_PASSWORD=REDACTED
SSO_ENABLED=true
SSO_ONLY=true
SSO_AUTHORITY=https://auth.apps.example.com
SSO_PKCE=true
SSO_CLIENT_ID=REDACTED
SSO_CLIENT_SECRET=REDACTED
SSO_SCOPES=email profile offline_access
This behaviour is surprising and I’d expect that the session is closed in this case. Anyone knows if the client behaves the same way when using the official Bitwarden server?