Timshel
commented
7 months ago Hey
The fact that Bitwarden consider a token with less than 5 min as expired is a config across their applications not much I can do there.
Additionally, the fact that you then have a race condition which trigger a logout is due to an issue with the client making multiple call in parallel with the same refresh_token. Even if I could mitigate it, I probably will not since it would mean that the server would spam the provider.
menardorama
Subject of the issue
When enabling your fork in the latest version (1.30.5-7), we need to define a custom access token lifespan in order to succeed auth.
Deployment environment
Your environment (Generated via diagnostics page)
Config (Generated via diagnostics page)
Show Running Config
**Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "**********://*********************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://****************************", "domain_origin": "*****://****************************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 3 * * * *", "enable_db_wal": false, "enable_websocket": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 360, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Pasteur Vault", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "debug", "log_level_override": "", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "***", "org_events_enabled": true, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": true, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": false, "sends_folder": "data/sends", "show_password_hint": true, "signups_allowed": false, "signups_domains_whitelist": "**********", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "******************", "smtp_from_name": "Vaultwarden next", "smtp_host": "****************", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "https://id.example.com/realms/test", "sso_authorize_extra_params": "", "sso_callback_path": "https://vault-next.dev.example.com/identity/connect/oidc-signin", "sso_client_cache_expiration": 0, "sso_client_id": "vaultwarden-next", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": "{\"enforceOnLogin\":false,\"minComplexity\":3,\"minLength\":12,\"requireLower\":true,\"requireNumbers\":true,\"requireSpecial\":true,\"requireUpper\":true}", "sso_only": true, "sso_organizations_id_mapping": "", "sso_organizations_invite": false, "sso_organizations_token_path": "/groups", "sso_pkce": false, "sso_roles_default_to_user": true, "sso_roles_enabled": false, "sso_roles_token_path": "/resource_access/vaultwarden-next/roles", "sso_scopes": "email profile offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 90, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```Install method: Kubernetes
Clients used: web vault
MySQL/MariaDB or PostgreSQL version: Tried Mariadb and Postgresql
Other relevant details: Increasing the token lifespan to 5 minutes solve the issue
Steps to reproduce
Just create a standard oidc client on keycloak and configure your fork as described in the doc.
Expected behaviour
Should support default keycloak settings
Actual behaviour
Auth fail with an access token error