authd icon indicating copy to clipboard operation
authd copied to clipboard
verified publisher icon ubuntu

Unlocking screen sometimes fails with "authentication failure: could not refresh token" when internet connection is unstable

Open adombeck opened this issue 6 months ago • 5 comments

I just experienced this issue three times in a row on a network with unstable internet connection. The lockscreen shows the error message "authentication failure: could not refresh token".

The logs show:

Jun 27 16:46:11 ubuntu authd-google[2306]: Post "https://oauth2.googleapis.com/token": context deadline exceeded
Jun 27 16:46:11 ubuntu authd-google[2306]: IsAuthenticated: denied
Jun 27 16:46:11 ubuntu authd[1823]: 3820511142-2f494872-d527-4062-bb05-2894a47d1d36: Authentication result: denied
Jun 27 16:46:11 ubuntu authd[1823]: 3820511142-2f494872-d527-4062-bb05-2894a47d1d36: End session "Google"

With the 4th retry it worked.

It also works if I completely disconnect the network, presumably because the auth session is then started in offline mode.

adombeck avatar Jun 27 '25 14:06 adombeck

I too am seeing this, Entra SSO configured.

Logged in with a user, and it created the account with a local username and password. Now when I rebooted, I cannot log in as the login screen gives this token error.

If I try to SSH into the machine, I receive the same error.

One more oddity. I tried to delete the account from the local machine after it was created by authd. But, I can't delete it. deluser says it does not exist. The GUI in Ubuntu shows it as an "other user", but the remove button is greyed out even though I elevated privileges

nc-ith avatar Jun 27 '25 15:06 nc-ith

If I try to SSH into the machine, I receive the same error.

Does it work after a few retries, or is it consistently broken? If the latter, please file a new issue with the system logs.

One more oddity. I tried to delete the account from the local machine after it was created by authd. But, I can't delete it. deluser says it does not exist. The GUI in Ubuntu shows it as an "other user", but the remove button is greyed out even though I elevated privileges

That's expected, authd users are not managed via /etc/passwd, which deluser and (presumably) the GNOME Settings app operate on. We will soon ship a command-line tool which will allow locking and removing authd users: https://github.com/ubuntu/authd/issues/640

adombeck avatar Jun 27 '25 16:06 adombeck

Actually I resolved it:

  1. For Entra, no client secret is needed. I had configured one, so I removed it.
  2. I set allowed users to ALL instead of OWNERS.

Now everything is working fine.

nc-ith avatar Jun 27 '25 19:06 nc-ith

Im not so sure this is solved. I've encountered this twice now, both times on the same machine, both time about 7 days after the last "Device Authentication" process was run. When I hit the problem I just "re-register" the device by choosing the "Device Authentication" option on GDM and the re-register process fixes the issue for about 7 days again. is this a token expirey maybe?

Senectus avatar Jun 30 '25 06:06 Senectus

The issue described in the description is not solved. It's clearly a network-related problem.

@nc-ith experienced a different issue, which was apparently caused by an incorrect client secret being configured.

@Senectus, if your issue is not related to an unstable internet connection, then please open a new issue with the system logs.

adombeck avatar Jun 30 '25 09:06 adombeck