Race condition in TokenService causes logouts on token refresh

[albgus]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

Steps to reproduce

1. Configure OIDC with refresh tokens to extend the session. Set a short access token validity to trigger the issue faster
2. Login with OIDC and leave a tab open with the Nextcloud web UI
3. After some time of inactivity return to the tab and try to browse around.

Expected behaviour

The session should continue uninterrupted

Actual behaviour

After the access token is expired, any access of Nextcloud in an already open tab will cause a logout event.

Diggin into the logs it appears to be because a request is sent to /ocs/v2.php/apps/notifications/api/v2/notifications and slightly later /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json. This causes both of these to run in parallel, and the first request will use the stored refresh token to refresh the session, then the second request will attempt to refresh the session. This causes a failure since it appears to use the refresh token that was read before the other request used it, so it's now expired.

Not sure what the best solution here is but it would seem that either some database locking would be needed to ensure that the token is not modified by parallel requests.

Nextcloud log

2025-08-17 00:22:35.577 user=-- url=/ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json message=[TokenService] reauthenticate
2025-08-17 00:22:35.577 user=albgus url=/ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json message=[TokenService] checkLoginToken: token is still expired -> reauthenticate
2025-08-17 00:22:35.577 user=albgus url=/ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json message=[TokenService] Failed to refresh token
2025-08-17 00:22:35.577 user=albgus url=/ocs/v2.php/apps/notifications/api/v2/notifications message=[TokenService] Store token in the session
2025-08-17 00:22:35.577 user=albgus url=/ocs/v2.php/apps/notifications/api/v2/notifications message=[TokenService] ---- Refresh token success
2025-08-17 00:22:35.577 user=albgus url=/ocs/v2.php/apps/notifications/api/v2/notifications message=[TokenService] Token refresh request params
2025-08-17 00:22:35.577 user=albgus url=/ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json message=[TokenService] Refreshing the token: https://login.example.com/application/o/token/
2025-08-17 00:22:35.576 user=albgus url=/ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json message=[TokenService] getToken: token is expired and refresh token is still valid, refresh expires in 0
2025-08-17 00:22:35.576 user=albgus url=/ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json message=[TokenService] Get token from the session
2025-08-17 00:22:35.576 user=albgus url=/ocs/v2.php/apps/notifications/api/v2/notifications message=[TokenService] Refreshing the token: https://login.example.com/application/o/token/
2025-08-17 00:22:35.576 user=albgus url=/ocs/v2.php/apps/notifications/api/v2/notifications message=[TokenService] getToken: token is expired and refresh token is still valid, refresh expires in 0
2025-08-17 00:22:35.576 user=albgus url=/ocs/v2.php/apps/notifications/api/v2/notifications message=[TokenService] Get token from the session

Error response from the token service

Client error: `POST https://login.example.com/application/o/token/` resulted in a `400 Bad Request` response:
{"error": "invalid_grant", "error_description": "The provided authorization grant or refresh token is invalid, expired, (truncated...)

Server configuration

Web server: Nginx

Database: PostgreSQL

PHP version: 8.1/8.2/8.3

Nextcloud version: 31.0.8.1

List of activated apps

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Nextcloud configuration

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

Browser

Browser name: Edge

Browser version: 139.0.3405.86

Operating system: Windows 11

[julien-nc]

Thanks a lot for reporting this and for investigating.

I made a PR (#1178) attempting to store a lock in the php session. I'm not sure the changes in the php session are visible in other php processes living at the same time.

Could you try to patch user_oidc with #1178 and check if the lock is effective in your context?
If it's not I could store the lock in the database with an additional column in oc_user_oidc_sessions.

[NobodysNightmare]

Hello 👋

We are also currently investigating an issue that has exactly the same steps to reproduce as given above. In our case we are integrating Nextcloud with Keycloak as an OIDC provider (which has a default access token lifetime of 1 minute).

However, I am pretty sure that I can rule out double use of the same refresh token as a cause for logout in our scenario, because as far as I've tested default Keycloak behaviour, it will gladly accept the same refresh token twice, as long as it didn't expire yet (refresh token expiry == SSO session idle timeout). So I'd be surprised if Keycloak was killing that session for us.

I am wondering if something else could be causing the premature ending of sessions as well.

[tvieten]

I am using Pocket ID and get similar effects. I usually just leave the Mail app open as a tab in Google Chrome and go about doing something else. After some seemingly random time it kicks me out, and I have this error in the Nextcloud log.

Could this be related to this issue?

{"reqId":"MQ3ebC6rsR46n13vUWJS","level":3,"time":"2025-11-13T14:46:20+01:00","remoteAddr":"147.161.228.252","user":"thorsten","app":"user_oidc","method":"POST","url":"/apps/mail/api/mailboxes/44/sync","message":"[TokenService] Failed to refresh token ","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36","version":"32.0.1.2","exception":{"Exception":"GuzzleHttp\\Exception\\ClientException","Message":"Client error: POST https://....mypocketiddomain.../api/oidc/tokenresulted in a400 Bad Request response:\n{\"error\":\"Refresh token is invalid or expired\"}\n","Code":400,"Trace":[{"file":"/var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":72,"function":"create","class":"GuzzleHttp\\Exception\\RequestException","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/3rdparty/guzzlehttp/promises/src/Promise.php","line":209,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/3rdparty/guzzlehttp/promises/src/Promise.php","line":158,"function":"callHandler","class":"GuzzleHttp\\Promise\\Promise","type":"::"},{"file":"/var/www/nextcloud/3rdparty/guzzlehttp/promises/src/TaskQueue.php","line":52,"function":"GuzzleHttp\\Promise\\{closure}","class":"GuzzleHttp\\Promise\\Promise","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/3rdparty/guzzlehttp/promises/src/Promise.php","line":251,"function":"run","class":"GuzzleHttp\\Promise\\TaskQueue","type":"->"},{"file":"/var/www/nextcloud/3rdparty/guzzlehttp/promises/src/Promise.php","line":227,"function":"invokeWaitFn","class":"GuzzleHttp\\Promise\\Promise","type":"->"},{"file":"/var/www/nextcloud/3rdparty/guzzlehttp/promises/src/Promise.php","line":272,"function":"waitIfPending","class":"GuzzleHttp\\Promise\\Promise","type":"->"},{"file":"/var/www/nextcloud/3rdparty/guzzlehttp/promises/src/Promise.php","line":229,"function":"invokeWaitList","class":"GuzzleHttp\\Promise\\Promise","type":"->"},{"file":"/var/www/nextcloud/3rdparty/guzzlehttp/promises/src/Promise.php","line":69,"function":"waitIfPending","class":"GuzzleHttp\\Promise\\Promise","type":"->"},{"file":"/var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php","line":189,"function":"wait","class":"GuzzleHttp\\Promise\\Promise","type":"->"},{"file":"/var/www/nextcloud/lib/private/Http/Client/Client.php","line":277,"function":"request","class":"GuzzleHttp\\Client","type":"->"},{"file":"/var/www/nextcloud/apps/user_oidc/lib/Helper/HttpClientHelper.php","line":54,"function":"post","class":"OC\\Http\\Client\\Client","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/user_oidc/lib/Service/TokenService.php","line":208,"function":"post","class":"OCA\\UserOIDC\\Helper\\HttpClientHelper","type":"->"},{"file":"/var/www/nextcloud/apps/user_oidc/lib/Service/TokenService.php","line":104,"function":"refresh","class":"OCA\\UserOIDC\\Service\\TokenService","type":"->"},{"file":"/var/www/nextcloud/apps/user_oidc/lib/Service/TokenService.php","line":157,"function":"getToken","class":"OCA\\UserOIDC\\Service\\TokenService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/user_oidc/lib/AppInfo/Application.php","line":92,"function":"checkLoginToken","class":"OCA\\UserOIDC\\Service\\TokenService","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Bootstrap/FunctionInjector.php","line":28,"function":"checkLoginToken","class":"OCA\\UserOIDC\\AppInfo\\Application","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Bootstrap/BootContext.php","line":32,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\FunctionInjector","type":"->"},{"file":"/var/www/nextcloud/apps/user_oidc/lib/AppInfo/Application.php","line":77,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\BootContext","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Bootstrap/Coordinator.php","line":170,"function":"boot","class":"OCA\\UserOIDC\\AppInfo\\Application","type":"->"},{"file":"/var/www/nextcloud/lib/private/App/AppManager.php","line":481,"function":"bootApp","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->"},{"file":"/var/www/nextcloud/lib/private/App/AppManager.php","line":273,"function":"loadApp","class":"OC\\App\\AppManager","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":1013,"function":"loadApps","class":"OC\\App\\AppManager","type":"->"},{"file":"/var/www/nextcloud/index.php","line":25,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Exception/RequestException.php","Line":111,"message":"[TokenService] Failed to refresh token ","exception":[],"CustomMessage":"[TokenService] Failed to refresh token "},"id":"6915e6a9d941a"}