Using authentik as the OAuth provider

[urban-prah]

I'm having trouble with session persistence when using OAuth. Debugging with browser tools I found out that the response to /api/auth/token?slot=0 POST request contains only the access_token, expires_in fields (no refresh_token). After the token expires I get logged out with console message:

Cannot restore next account <email-address>, performing full logout error.logout.i.refreshAccessToken.X.loginWithOauth

I'm trying to figure out if the problem is with authentik not providing the token or bulwark requesting authentication. Does anyone have experience with this?

Steps I took to configure my setup:

1. Configured stalwart to use the userinfo endpoint as the default directory.
2. Set-up authentik OAuth2 provider for Bulwark, selecting email, openid, profile, offline_access scopes.
3. Configured bulwark env:

AUTO_SSO_ENABLED=true
OAUTH_ENABLED=true
OAUTH_ONLY=true
OAUTH_ISSUER_URL=https://auth.domain.tld/application/o/bulwark
OAUTH_CLIENT_ID=<from-authentik>
OAUTH_CLIENT_SECRET=<from-authentik>
SESSION_SECRET=<generated>