starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 09:46:00 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #6179] SSO login/registration kinda buged from yesterday to today #2362

New issue
Closed
opened 2026-03-03 02:17:37 +03:00 by kerem · 7 comments
kerem commented 2026-03-03 02:17:37 +03:00
Owner
Copy link

Originally created by @Joly0 on GitHub (Aug 12, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6179

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.34.3-8e7eeab2
  • Web-vault version: v2025.7.0
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.50.2
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://************************",
  "domain_origin": "*****://************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": false,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "************",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://*******************************************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://*****************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3-8e7eeab2

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

traefik 3.5

Host/Server Operating System

Linux

Operating System Version

No response

Clients

Web Vault

Client Version

No response

Steps To Reproduce

So this is a weird one. I opened this discussion yesterday https://github.com/dani-garcia/vaultwarden/discussions/6171 after setting up vaultwarden with SSO. In the end i was able to login but only through the desktop application, there was no sso button on the webui or anything, just the plain login with master password or register option.

In the meantime i didnt change any settings, they remained as is and i left it. Today a colleague of mine wanted to try it out and was wondering about an issue when signign in:

Image

I told him he needed to register first, but noticed, that there was no register button anymore. Just an sso login button and the continue button. So he cannot create an account. But atleast now using the sso login button i can login to the web vault.

Reading through the docs i noticed this part https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#on-sso_allow_unknown_email_verification and tried to figure out what was missing, but from my knowledge entra id, the provider we use, provied the email_verified claim. So i assume i have to add it "Authorization request scopes" or the "Authorization request extra parameters" settings? Not sure though. Also i couldnt find any option (in the admin dashboard) that show the option "SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION" to disable it.

So i am completely lost now what is going on. Where the register button is, why i couldnt login yesterday but can today, what the error message for my colleague means and why out of the sudden the sso login button appeared in the webui.

Expected Result

At this point, idk what i should expect

Actual Result

I have legit no idea if this is how it should work, why it suddenly does what it does, but the result is, currently only myself can login, others cant register

Logs

Screenshots or Videos

No response

Additional Context

No response

Originally created by @Joly0 on GitHub (Aug 12, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6179 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-8e7eeab2 * Web-vault version: v2025.7.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://************************", "domain_origin": "*****://************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": false, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "************", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "Vaultwarden", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://*******************************************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*****************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "email profile offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.34.3-8e7eeab2 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy traefik 3.5 ### Host/Server Operating System Linux ### Operating System Version _No response_ ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce So this is a weird one. I opened this discussion yesterday https://github.com/dani-garcia/vaultwarden/discussions/6171 after setting up vaultwarden with SSO. In the end i was able to login but only through the desktop application, there was no sso button on the webui or anything, just the plain login with master password or register option. In the meantime i didnt change any settings, they remained as is and i left it. Today a colleague of mine wanted to try it out and was wondering about an issue when signign in: <img width="1452" height="530" alt="Image" src="https://github.com/user-attachments/assets/71eb9dd4-5c24-4c9f-800c-6960094dea02" /> I told him he needed to register first, but noticed, that there was no register button anymore. Just an sso login button and the continue button. So he cannot create an account. But atleast now using the sso login button i can login to the web vault. Reading through the docs i noticed this part https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#on-sso_allow_unknown_email_verification and tried to figure out what was missing, but from my knowledge entra id, the provider we use, provied the email_verified claim. So i assume i have to add it "Authorization request scopes" or the "Authorization request extra parameters" settings? Not sure though. Also i couldnt find any option (in the admin dashboard) that show the option "SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION" to disable it. So i am completely lost now what is going on. Where the register button is, why i couldnt login yesterday but can today, what the error message for my colleague means and why out of the sudden the sso login button appeared in the webui. ### Expected Result At this point, idk what i should expect ### Actual Result I have legit no idea if this is how it should work, why it suddenly does what it does, but the result is, currently only myself can login, others cant register ### Logs ```text ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_
kerem 2026-03-03 02:17:37 +03:00
  • closed this issue
  • added the
    bug
    SSO
         labels
kerem commented 2026-03-03 02:17:38 +03:00
Author
Owner
Copy link

@ArcticLampyrid commented on GitHub (Aug 16, 2025):

Also i couldnt find any option (in the admin dashboard) that show the option "SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION" to disable it.

I believe this is a environment variable.

<!-- gh-comment-id:3193370358 --> @ArcticLampyrid commented on GitHub (Aug 16, 2025): > Also i couldnt find any option (in the admin dashboard) that show the option "SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION" to disable it. I believe this is a environment variable.
kerem commented 2026-03-03 02:17:38 +03:00
Author
Owner
Copy link

@Gauss23 commented on GitHub (Aug 25, 2025):

Maybe the env part from Authentik's manual helps and can be adopted to your Entra IdP:
https://integrations.goauthentik.io/security/vaultwarden/#vaultwarden-configuration

it says:

SSO_AUTHORITY=https://authentik.company/application/o/<application_slug>/
SSO_CLIENT_ID=<client_id>
SSO_CLIENT_SECRET=<client_secret>
SSO_SCOPES="openid email profile offline_access"
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false
SSO_CLIENT_CACHE_EXPIRATION=0
SSO_ONLY=false # Set to true to disable email+master password login and require SSO
SSO_SIGNUPS_MATCH_EMAIL=true # Match first SSO login to existing account by email
<!-- gh-comment-id:3219536533 --> @Gauss23 commented on GitHub (Aug 25, 2025): Maybe the env part from Authentik's manual helps and can be adopted to your Entra IdP: [https://integrations.goauthentik.io/security/vaultwarden/#vaultwarden-configuration](url) it says: ```SSO_ENABLED=true SSO_AUTHORITY=https://authentik.company/application/o/<application_slug>/ SSO_CLIENT_ID=<client_id> SSO_CLIENT_SECRET=<client_secret> SSO_SCOPES="openid email profile offline_access" SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false SSO_CLIENT_CACHE_EXPIRATION=0 SSO_ONLY=false # Set to true to disable email+master password login and require SSO SSO_SIGNUPS_MATCH_EMAIL=true # Match first SSO login to existing account by email
kerem commented 2026-03-03 02:17:38 +03:00
Author
Owner
Copy link

@Timshel commented on GitHub (Aug 26, 2025):

Hey
The setting should be visible once https://github.com/dani-garcia/vaultwarden/pull/6235 is merged.
In the meantime as mentioned you can set SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true as an env variable to ignore the fact that your provider do not sent the email status.
And you probably then want to disable SSO_SIGNUPS_MATCH_EMAIL=false, more details here.

<!-- gh-comment-id:3224910420 --> @Timshel commented on GitHub (Aug 26, 2025): Hey The setting should be visible once https://github.com/dani-garcia/vaultwarden/pull/6235 is merged. In the meantime as mentioned you can set `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true` as an env variable to ignore the fact that your provider do not sent the email status. And you probably then want to disable `SSO_SIGNUPS_MATCH_EMAIL=false`, more details [here](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#on-sso_allow_unknown_email_verification).
kerem commented 2026-03-03 02:17:38 +03:00
Author
Owner
Copy link

@Joly0 commented on GitHub (Sep 1, 2025):

Hey The setting should be visible once #6235 is merged. In the meantime as mentioned you can set SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true as an env variable to ignore the fact that your provider do not sent the email status. And you probably then want to disable SSO_SIGNUPS_MATCH_EMAIL=false, more details here.

Something still borked somewhere. So i changed both settings:

Image but a new user now tries to register/login (he has no account previously) gets this: Image

He goes to the vaultwarden login page, clicks on "Use single sign-on", is redirected to microsoft login screen, then redirected to the login page of vaultwarden with this warning. I can see in the admin page on the users tab, that the user was created, but without an SSO identifier:

Image Whats also weird is, that my user has my normal name and the mail address under the user row, for that second user it shows the mail address twice, no firstname+lastname (but this could be due to the fact, that i created my user before i changed the two settings above).
<!-- gh-comment-id:3242088962 --> @Joly0 commented on GitHub (Sep 1, 2025): > Hey The setting should be visible once [#6235](https://github.com/dani-garcia/vaultwarden/pull/6235) is merged. In the meantime as mentioned you can set `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true` as an env variable to ignore the fact that your provider do not sent the email status. And you probably then want to disable `SSO_SIGNUPS_MATCH_EMAIL=false`, more details [here](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#on-sso_allow_unknown_email_verification). Something still borked somewhere. So i changed both settings: <img width="1234" height="852" alt="Image" src="https://github.com/user-attachments/assets/b8a19259-8574-46f5-b645-b2751afcf98a" /> but a new user now tries to register/login (he has no account previously) gets this: <img width="1894" height="636" alt="Image" src="https://github.com/user-attachments/assets/c17a56e9-5e86-45dd-9f1d-500a8242cc27" /> He goes to the vaultwarden login page, clicks on "Use single sign-on", is redirected to microsoft login screen, then redirected to the login page of vaultwarden with this warning. I can see in the admin page on the users tab, that the user was created, but without an SSO identifier: <img width="1337" height="672" alt="Image" src="https://github.com/user-attachments/assets/66a25ef6-5497-4df0-a547-1f9ab3e3ad31" /> Whats also weird is, that my user has my normal name and the mail address under the user row, for that second user it shows the mail address twice, no firstname+lastname (but this could be due to the fact, that i created my user before i changed the two settings above).
kerem commented 2026-03-03 02:17:39 +03:00
Author
Owner
Copy link

@Timshel commented on GitHub (Sep 1, 2025):

The error message is consistent with setting SSO_SIGNUPS_MATCH_EMAIL=false and the user already existing.

I'm guessing the user was created in a previous attempt which did not complete due to an error.
Searching in the logs around the account creation time should give more information.

For the username the preferred_username returned by your provider is used, if missing it fallback to the email.

<!-- gh-comment-id:3242145824 --> @Timshel commented on GitHub (Sep 1, 2025): The error message is consistent with setting `SSO_SIGNUPS_MATCH_EMAIL=false` and the user already existing. I'm guessing the user was created in a previous attempt which did not complete due to an error. Searching in the logs around the account creation time should give more information. For the username the `preferred_username` returned by your provider is used, if missing it fallback to the email.
kerem commented 2026-03-03 02:17:39 +03:00
Author
Owner
Copy link

@Joly0 commented on GitHub (Sep 1, 2025):

The error message is consistent with setting SSO_SIGNUPS_MATCH_EMAIL=false and the user already existing.

I'm guessing the user was created in a previous attempt which did not complete due to an error. Searching in the logs around the account creation time should give more information.

For the username the preferred_username returned by your provider is used, if missing it fallback to the email.

Ok, i hope i havent left any sensitive data in it, but here are the logs:

[2025-09-01 15:15:38.952][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
[2025-09-01 15:15:39.577][request][INFO] POST /identity/connect/token
[2025-09-01 15:15:40.275][vaultwarden::api::identity][INFO] User XYZ@mycompany.de logged in successfully. IP: XYZ
[2025-09-01 15:15:40.275][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-09-01 15:15:40.295][request][INFO] GET /api/sync?excludeDomains=true
[2025-09-01 15:15:40.348][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2025-09-01 15:15:40.375][request][INFO] POST /identity/connect/token
[2025-09-01 15:15:40.786][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-09-01 15:15:40.796][request][INFO] GET /api/sync?excludeDomains=true
[2025-09-01 15:15:40.851][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2025-09-01 15:15:40.861][request][INFO] GET /api/organizations/Vaultwarden/auto-enroll-status
[2025-09-01 15:15:40.869][response][INFO] (get_auto_enroll_status) GET /api/organizations/<identifier>/auto-enroll-status => 200 OK
[2025-09-01 15:15:40.877][request][INFO] GET /api/organizations/XYZ/policies/master-password
[2025-09-01 15:15:40.883][response][INFO] (get_master_password_policy) GET /api/organizations/<org_id>/policies/master-password => 200 OK
[2025-09-01 15:15:53.082][request][INFO] POST /api/accounts/set-password
[2025-09-01 15:15:53.239][response][INFO] (post_set_password) POST /api/accounts/set-password => 200 OK
[2025-09-01 15:15:53.260][request][INFO] GET /api/config
[2025-09-01 15:15:53.260][response][INFO] (config) GET /api/config => 200 OK
[2025-09-01 15:15:53.276][request][INFO] GET /notifications/hub?access_token=XYZ
[2025-09-01 15:15:53.276][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from XYZ
[2025-09-01 15:15:53.276][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2025-09-01 15:15:53.345][request][INFO] GET /api/accounts/revision-date
[2025-09-01 15:15:53.345][request][INFO] GET /api/devices
[2025-09-01 15:15:53.345][request][INFO] GET /api/accounts/revision-date
[2025-09-01 15:15:53.345][request][INFO] GET /api/accounts/profile
[2025-09-01 15:15:53.401][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2025-09-01 15:15:53.402][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2025-09-01 15:15:53.410][request][INFO] POST /identity/connect/token
[2025-09-01 15:15:53.410][response][INFO] (get_all_devices) GET /api/devices => 200 OK
[2025-09-01 15:15:53.416][response][INFO] (profile) GET /api/accounts/profile => 200 OK
[2025-09-01 15:15:53.848][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-09-01 15:15:53.858][request][INFO] GET /api/sync?excludeDomains=true
[2025-09-01 15:15:53.927][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2025-09-01 15:15:58.027][vaultwarden::api::notifications][INFO] Closing WS connection from XYZ
[2025-09-01 15:16:00.260][request][INFO] POST /api/organizations/domain/sso/verified
[2025-09-01 15:16:00.265][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK
[2025-09-01 15:16:00.274][request][INFO] GET /identity/sso/prevalidate?domainHint=Vaultwarden
[2025-09-01 15:16:00.274][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
[2025-09-01 15:16:00.304][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
[2025-09-01 15:16:00.530][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2025-09-01 15:16:02.436][request][INFO] GET /identity/connect/oidc-signin?code=XYZ
[2025-09-01 15:16:02.449][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
[2025-09-01 15:16:03.026][request][INFO] POST /identity/connect/token
[2025-09-01 15:16:03.509][vaultwarden::api::identity][ERROR] Login failure (https://login.microsoftonline.com/XYZ/v2.0/XYZ), existing non SSO user (XYZ-ID) with same email (XYZ@mycompany.de) and association is disabled
[2025-09-01 15:16:03.510][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

prior to this, i deleted the problematic user from vaultwarden.

<!-- gh-comment-id:3242722990 --> @Joly0 commented on GitHub (Sep 1, 2025): > The error message is consistent with setting `SSO_SIGNUPS_MATCH_EMAIL=false` and the user already existing. > > I'm guessing the user was created in a previous attempt which did not complete due to an error. Searching in the logs around the account creation time should give more information. > > For the username the `preferred_username` returned by your provider is used, if missing it fallback to the email. Ok, i hope i havent left any sensitive data in it, but here are the logs: ``` [2025-09-01 15:15:38.952][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect [2025-09-01 15:15:39.577][request][INFO] POST /identity/connect/token [2025-09-01 15:15:40.275][vaultwarden::api::identity][INFO] User XYZ@mycompany.de logged in successfully. IP: XYZ [2025-09-01 15:15:40.275][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-09-01 15:15:40.295][request][INFO] GET /api/sync?excludeDomains=true [2025-09-01 15:15:40.348][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-09-01 15:15:40.375][request][INFO] POST /identity/connect/token [2025-09-01 15:15:40.786][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-09-01 15:15:40.796][request][INFO] GET /api/sync?excludeDomains=true [2025-09-01 15:15:40.851][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-09-01 15:15:40.861][request][INFO] GET /api/organizations/Vaultwarden/auto-enroll-status [2025-09-01 15:15:40.869][response][INFO] (get_auto_enroll_status) GET /api/organizations/<identifier>/auto-enroll-status => 200 OK [2025-09-01 15:15:40.877][request][INFO] GET /api/organizations/XYZ/policies/master-password [2025-09-01 15:15:40.883][response][INFO] (get_master_password_policy) GET /api/organizations/<org_id>/policies/master-password => 200 OK [2025-09-01 15:15:53.082][request][INFO] POST /api/accounts/set-password [2025-09-01 15:15:53.239][response][INFO] (post_set_password) POST /api/accounts/set-password => 200 OK [2025-09-01 15:15:53.260][request][INFO] GET /api/config [2025-09-01 15:15:53.260][response][INFO] (config) GET /api/config => 200 OK [2025-09-01 15:15:53.276][request][INFO] GET /notifications/hub?access_token=XYZ [2025-09-01 15:15:53.276][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from XYZ [2025-09-01 15:15:53.276][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2025-09-01 15:15:53.345][request][INFO] GET /api/accounts/revision-date [2025-09-01 15:15:53.345][request][INFO] GET /api/devices [2025-09-01 15:15:53.345][request][INFO] GET /api/accounts/revision-date [2025-09-01 15:15:53.345][request][INFO] GET /api/accounts/profile [2025-09-01 15:15:53.401][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2025-09-01 15:15:53.402][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2025-09-01 15:15:53.410][request][INFO] POST /identity/connect/token [2025-09-01 15:15:53.410][response][INFO] (get_all_devices) GET /api/devices => 200 OK [2025-09-01 15:15:53.416][response][INFO] (profile) GET /api/accounts/profile => 200 OK [2025-09-01 15:15:53.848][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-09-01 15:15:53.858][request][INFO] GET /api/sync?excludeDomains=true [2025-09-01 15:15:53.927][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-09-01 15:15:58.027][vaultwarden::api::notifications][INFO] Closing WS connection from XYZ [2025-09-01 15:16:00.260][request][INFO] POST /api/organizations/domain/sso/verified [2025-09-01 15:16:00.265][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK [2025-09-01 15:16:00.274][request][INFO] GET /identity/sso/prevalidate?domainHint=Vaultwarden [2025-09-01 15:16:00.274][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK [2025-09-01 15:16:00.304][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt [2025-09-01 15:16:00.530][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect [2025-09-01 15:16:02.436][request][INFO] GET /identity/connect/oidc-signin?code=XYZ [2025-09-01 15:16:02.449][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect [2025-09-01 15:16:03.026][request][INFO] POST /identity/connect/token [2025-09-01 15:16:03.509][vaultwarden::api::identity][ERROR] Login failure (https://login.microsoftonline.com/XYZ/v2.0/XYZ), existing non SSO user (XYZ-ID) with same email (XYZ@mycompany.de) and association is disabled [2025-09-01 15:16:03.510][response][INFO] (login) POST /identity/connect/token => 400 Bad Request ``` prior to this, i deleted the problematic user from vaultwarden.
kerem commented 2026-03-03 02:17:39 +03:00
Author
Owner
Copy link

@Timshel commented on GitHub (Sep 1, 2025):

No idea what could be happening:

[2025-09-01 15:15:40.275][response][INFO] (login) POST /identity/connect/token => 200 OK

Initial login return 200, so the identifier should be saved in the sso_user table.
After this the only way to delete the entry should be via the admin endpoint (a call to /users/<user_id>/sso would be visible).

But later it can't be found again :(.

Edit: was able to reproduce will look at it.

<!-- gh-comment-id:3242842999 --> @Timshel commented on GitHub (Sep 1, 2025): No idea what could be happening: ```logs [2025-09-01 15:15:40.275][response][INFO] (login) POST /identity/connect/token => 200 OK ``` Initial login return 200, so the identifier should be saved in the `sso_user` table. After this the only way to delete the entry should be via the admin endpoint (a call to `/users/<user_id>/sso` would be visible). But later it can't be found again :(. Edit: was able to reproduce will look at it.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#2362
No description provided.