starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-25 17:25:57 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #6230] SSO: error with Authentik #2375

New issue
Closed
opened 2026-03-03 02:17:44 +03:00 by kerem · 9 comments
kerem commented 2026-03-03 02:17:44 +03:00
Owner
Copy link

Originally created by @tugdualenligne on GitHub (Aug 26, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6230

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.34.3-7161f612
  • Web-vault version: v2025.7.2
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.50.2
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • TZ environment: Europe/Paris
  • Browser/Server Time Check: false
  • Server/NTP Time Check: false
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: false

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: SIGNUPS_ALLOWED, ADMIN_TOKEN

Failed HTTP Checks:

2FA Connector calls:
Header: 'x-frame-options' is present while it should not

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*****************",
  "domain_origin": "*****://*****************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "********************",
  "smtp_from_name": "Vaultwarden du-plessis.fr",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "********************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://*********************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://**********************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "****************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "openid email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

testing

Deployment method

Official Container Image

Custom deployment method

I get the following error while lauching the TEsting docker image and coupling it with an Authentik instance:

Failed to contact token endpoint: Parse(Error { path: Path { segments: [] }, original: Error("Invalid JSON web token: found 5 parts (expected 3)", line: 1, column: 6990) }, [123, 34, 97, 99, 99, 101, 115, 115, 95, 116, 111, 107, 101, 110, 34, 58, 32, 34, 101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 116, 84, 48, 70, 70, 85, 67, 48, 121, 78, 84, 89, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 77, 106, 85, 50, 81, 48, 74, 68, 76, 85, 104, 84, 78, 84, 69, 121, 73, 105, 119, 105, 97, 50, 108, 107, 73, 106, 111, 105, 78, 122, 73, 48, 78, 87, 81, 52, 78, 106, 99, 48, 77, 50, 81, 51, 77, 68, 73, 52, 90, 68, 82, 107, 79, 87, 85, 121, 77, 68, 81, 50, 78, 84, 85, 119, 79, 87, 70, 104, 90, 71, 77, 105, 76, 67, 74, 48, 101, 88, 65, 105, 79, 105, 74, 75, 86, 48, 85, 105, 102, 81, 46, 104, 86, 103, 66, 120, 51, 86, 101, 50, 53, 68, 118, 71, 101, 103, 85, 76, 51, 77, 107, 65, 120, 56, 98, 88, 78, 73, 49, 55, 74, 104, 95, 82, 83, 68, 106, 102, 118, 122, 66, 115, 100, 57, 80, 83, 48, 50, 51, 97, 112, 54, 112, 105, 115, 99, 90, 77, 117,

Reverse Proxy

traefik latest version (3.5 if my memory's good)

Host/Server Operating System

Linux

Operating System Version

Debian Trixie is a VM where the Docker daemon is running

Clients

Web Vault

Client Version

No response

Steps To Reproduce

I follow this guide: https://integrations.goauthentik.io/security/vaultwarden/
and set up like this within the docker-compose:
## SSO with Authentik
SSO_ENABLED: 'true'
SSO_AUTHORITY: https://auth.domain.fr/application/o/vaultwarden/
SSO_CLIENT_ID: XXXX
SSO_CLIENT_SECRET: XXXXX
SSO_SCOPES: "openid email profile offline_access"
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: 'false'
SSO_CLIENT_CACHE_EXPIRATION: 0
SSO_ONLY: 'false'
SSO_SIGNUPS_MATCH_EMAIL: 'true'

Expected Result

I should login using Authentik SSO

Actual Result

Error msg:
Failed to contact token endpoint: Parse(Error { path: Path { segments: [] }, original: Error("Invalid JSON web token: found 5 parts (expected 3)", line: 1, column: 6990) }, [123, 34, 97, 99, 99, 101, 115, 115, 95, 116, 111, 107, 101, 110, 34, 58, 32, 34, 101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 116, 84, 48, 70, 70, 85, 67, 48, 121, 78, 84, 89, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 77, 106, 85, 50, 81, 48, 74, 68, 76, 85, 104, 84, 78, 84, 69, 121, 73, 105, 119, 105, 97, 50, 108, 107, 73, 106, 111, 105, 78, 122, 73, 48, 78, 87, 81, 52, 78, 106, 99, 48, 77, 50, 81, 51, 77, 68, 73, 52, 90, 68, 82, 107, 79, 87, 85, 121, 77, 68, 81, 50, 78, 84, 85, 119, 79, 87, 70, 104, 90, 71, 77, 105, 76, 67, 74, 48, 101, 88, 65, 105, 79, 105, 74, 75, 86, 48, 85, 105, 102, 81, 46, 104, 86, 103, 66, 120, 51, 86, 101, 50, 53, 68, 118, 71, 101, 103, 85, 76, 51, 77, 107, 65, 120, 56, 98, 88, 78, 73, 49, 55, 74, 104, 95, 82, 83, 68, 106, 102, 118, 122, 66, 115, 100, 57, 80, 83, 48, 50, 51, 97, 112, 54, 112, 105, 115, 99, 90, 77, 117,

Logs

Screenshots or Videos

No response

Additional Context

No response

Originally created by @tugdualenligne on GitHub (Aug 26, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6230 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-7161f612 * Web-vault version: v2025.7.2 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * TZ environment: Europe/Paris * Browser/Server Time Check: false * Server/NTP Time Check: false * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: false ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** SIGNUPS_ALLOWED, ADMIN_TOKEN **Failed HTTP Checks:** ```yaml 2FA Connector calls: Header: 'x-frame-options' is present while it should not ``` **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*****************", "domain_origin": "*****://*****************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "********************", "smtp_from_name": "Vaultwarden du-plessis.fr", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "********************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://*********************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://**********************************************", "sso_client_cache_expiration": 0, "sso_client_id": "****************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "openid email profile offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version testing ### Deployment method Official Container Image ### Custom deployment method I get the following error while lauching the TEsting docker image and coupling it with an Authentik instance: Failed to contact token endpoint: Parse(Error { path: Path { segments: [] }, original: Error("Invalid JSON web token: found 5 parts (expected 3)", line: 1, column: 6990) }, [123, 34, 97, 99, 99, 101, 115, 115, 95, 116, 111, 107, 101, 110, 34, 58, 32, 34, 101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 116, 84, 48, 70, 70, 85, 67, 48, 121, 78, 84, 89, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 77, 106, 85, 50, 81, 48, 74, 68, 76, 85, 104, 84, 78, 84, 69, 121, 73, 105, 119, 105, 97, 50, 108, 107, 73, 106, 111, 105, 78, 122, 73, 48, 78, 87, 81, 52, 78, 106, 99, 48, 77, 50, 81, 51, 77, 68, 73, 52, 90, 68, 82, 107, 79, 87, 85, 121, 77, 68, 81, 50, 78, 84, 85, 119, 79, 87, 70, 104, 90, 71, 77, 105, 76, 67, 74, 48, 101, 88, 65, 105, 79, 105, 74, 75, 86, 48, 85, 105, 102, 81, 46, 104, 86, 103, 66, 120, 51, 86, 101, 50, 53, 68, 118, 71, 101, 103, 85, 76, 51, 77, 107, 65, 120, 56, 98, 88, 78, 73, 49, 55, 74, 104, 95, 82, 83, 68, 106, 102, 118, 122, 66, 115, 100, 57, 80, 83, 48, 50, 51, 97, 112, 54, 112, 105, 115, 99, 90, 77, 117, ### Reverse Proxy traefik latest version (3.5 if my memory's good) ### Host/Server Operating System Linux ### Operating System Version Debian Trixie is a VM where the Docker daemon is running ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce I follow this guide: https://integrations.goauthentik.io/security/vaultwarden/ and set up like this within the docker-compose: ## SSO with Authentik SSO_ENABLED: 'true' SSO_AUTHORITY: https://auth.domain.fr/application/o/vaultwarden/ SSO_CLIENT_ID: XXXX SSO_CLIENT_SECRET: XXXXX SSO_SCOPES: "openid email profile offline_access" SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: 'false' SSO_CLIENT_CACHE_EXPIRATION: 0 SSO_ONLY: 'false' SSO_SIGNUPS_MATCH_EMAIL: 'true' ### Expected Result I should login using Authentik SSO ### Actual Result Error msg: Failed to contact token endpoint: Parse(Error { path: Path { segments: [] }, original: Error("Invalid JSON web token: found 5 parts (expected 3)", line: 1, column: 6990) }, [123, 34, 97, 99, 99, 101, 115, 115, 95, 116, 111, 107, 101, 110, 34, 58, 32, 34, 101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 116, 84, 48, 70, 70, 85, 67, 48, 121, 78, 84, 89, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 77, 106, 85, 50, 81, 48, 74, 68, 76, 85, 104, 84, 78, 84, 69, 121, 73, 105, 119, 105, 97, 50, 108, 107, 73, 106, 111, 105, 78, 122, 73, 48, 78, 87, 81, 52, 78, 106, 99, 48, 77, 50, 81, 51, 77, 68, 73, 52, 90, 68, 82, 107, 79, 87, 85, 121, 77, 68, 81, 50, 78, 84, 85, 119, 79, 87, 70, 104, 90, 71, 77, 105, 76, 67, 74, 48, 101, 88, 65, 105, 79, 105, 74, 75, 86, 48, 85, 105, 102, 81, 46, 104, 86, 103, 66, 120, 51, 86, 101, 50, 53, 68, 118, 71, 101, 103, 85, 76, 51, 77, 107, 65, 120, 56, 98, 88, 78, 73, 49, 55, 74, 104, 95, 82, 83, 68, 106, 102, 118, 122, 66, 115, 100, 57, 80, 83, 48, 50, 51, 97, 112, 54, 112, 105, 115, 99, 90, 77, 117, ### Logs ```text ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_
kerem 2026-03-03 02:17:44 +03:00
  • closed this issue
  • added the
    bug
    SSO
         labels
kerem commented 2026-03-03 02:17:45 +03:00
Author
Owner
Copy link

@AdriSchmi commented on GitHub (Aug 29, 2025):

Authentik works i have it running but when i change the username in Vaultwarden and have the toggle SSO_SIGNUPS_MATCH_EMAIL on false the user is after the change no longer a sso user. @tugdualenligne did you set this in authentik?

Image
<!-- gh-comment-id:3238190136 --> @AdriSchmi commented on GitHub (Aug 29, 2025): Authentik works i have it running but when i change the username in Vaultwarden and have the toggle SSO_SIGNUPS_MATCH_EMAIL on false the user is after the change no longer a sso user. @tugdualenligne did you set this in authentik? <img width="396" height="321" alt="Image" src="https://github.com/user-attachments/assets/4a5073c5-824c-4617-bfd0-ae76c79dd866" />
kerem commented 2026-03-03 02:17:45 +03:00
Author
Owner
Copy link

@tugdualenligne commented on GitHub (Aug 29, 2025):

Thx for your msg
Yes, sir, I do have this setting in my Authentik provider for Vaultwarden
Not sure though of your 1st part of comment: I never changed from true to false, it is and has always been set at true
Would you mind sharing screen shots of your Authentik config for Vaultwarden? (Obfuscating the ID and secret of course)

<!-- gh-comment-id:3238414801 --> @tugdualenligne commented on GitHub (Aug 29, 2025): Thx for your msg Yes, sir, I do have this setting in my Authentik provider for Vaultwarden Not sure though of your 1st part of comment: I never changed from true to false, it is and has always been set at true Would you mind sharing screen shots of your Authentik config for Vaultwarden? (Obfuscating the ID and secret of course)
kerem commented 2026-03-03 02:17:45 +03:00
Author
Owner
Copy link

@Timshel commented on GitHub (Sep 1, 2025):

Hey,
Can you check that you can access the https://auth.domain.fr/application/o/vaultwarden/.well-known/openid-configuration from inside the container ?

Other issue which was encountered is that in the configuration the id_token_signing_alg_values_supported return only HS256 (RS256 is mandatory per the spec). If that's the case you can edit the signing key and save it again: https://github.com/Timshel/vaultwarden/issues/107#issuecomment-3200007338

<!-- gh-comment-id:3243136510 --> @Timshel commented on GitHub (Sep 1, 2025): Hey, Can you check that you can access the `https://auth.domain.fr/application/o/vaultwarden/.well-known/openid-configuration` from inside the container ? Other issue which was encountered is that in the configuration the `id_token_signing_alg_values_supported` return only `HS256` (`RS256` is mandatory per the spec). If that's the case you can edit the signing key and save it again: https://github.com/Timshel/vaultwarden/issues/107#issuecomment-3200007338
kerem commented 2026-03-03 02:17:45 +03:00
Author
Owner
Copy link

@tugdualenligne commented on GitHub (Sep 1, 2025):

Thanks for your message
I get an HTTP 200 so it works within the container
I have already a signing key affected, I tried with another one, doesn't change anything
Any other idea welcome! Many thanks

<!-- gh-comment-id:3243167769 --> @tugdualenligne commented on GitHub (Sep 1, 2025): Thanks for your message I get an HTTP 200 so it works within the container I have already a signing key affected, I tried with another one, doesn't change anything Any other idea welcome! Many thanks
kerem commented 2026-03-03 02:17:45 +03:00
Author
Owner
Copy link

@jankirsten commented on GitHub (Sep 2, 2025):

I got stuck at the exact same error message. It can be also fixed by changing the provider config in Authentik:

  1. Open Authentik admin panel > Providers > Open your Vaultwarden provider
  2. Click Edit > Make sure Encryption Key is empty.
  3. If not empty: Select -------- in the dropdown.
  4. Make sure not to touch the Signing Key, a valid certificate has to be selected
  5. Click Update
  6. Retry

Explanation:
Vaultwarden/the underlying library seems to expect a 3 part JSON Web Token. The error message contains the token Vaultwarden obtains from Authentik. When you decode the complete token (decimal -> ASCII) you can see the access token provided by Authentik consists of five parts (delimited by .). This format format is used for encrypted tokens (JWE). When you deselect the Encryption Key in Authenik, JWTs are only signed (JWS) and can be processed by Vaultwarden.

<!-- gh-comment-id:3245196399 --> @jankirsten commented on GitHub (Sep 2, 2025): I got stuck at the exact same error message. It can be also fixed by changing the provider config in Authentik: 1. Open Authentik **admin panel** > **Providers** > Open your Vaultwarden provider 2. Click **Edit** > Make sure **Encryption Key** is **empty**. 3. **If not empty**: Select -------- in the dropdown. 4. Make sure **not** to touch the **Signing Key**, a valid certificate has to be selected 5. Click **Update** 6. Retry Explanation: Vaultwarden/the underlying library seems to expect a 3 part JSON Web Token. The error message contains the token Vaultwarden obtains from Authentik. When you decode the complete token (decimal -> ASCII) you can see the access token provided by Authentik consists of five parts (delimited by .). This format format is used for encrypted tokens (JWE). When you deselect the Encryption Key in Authenik, JWTs are only signed (JWS) and can be processed by Vaultwarden.
kerem commented 2026-03-03 02:17:45 +03:00
Author
Owner
Copy link

@tugdualenligne commented on GitHub (Sep 2, 2025):

U're the man! It works. I can now authenticate through Authentik and then
open my vault, many thanks.
We'll need to update the Vaultwarden and Authentik configurations
documentation about that specificity (I'll try contact the Authentik team)

Message ID: @.***>

<!-- gh-comment-id:3245617453 --> @tugdualenligne commented on GitHub (Sep 2, 2025): U're the man! It works. I can now authenticate through Authentik and then open my vault, many thanks. We'll need to update the Vaultwarden and Authentik configurations documentation about that specificity (I'll try contact the Authentik team) > Message ID: ***@***.***> >
kerem commented 2026-03-03 02:17:46 +03:00
Author
Owner
Copy link

@Timshel commented on GitHub (Sep 2, 2025):

Sorry for the previous message I had missed that the parse error was not on the discovery but on the parsing of the token itself 😅.

I have updated the wiki with both troubleshooting tips: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#troubleshooting

<!-- gh-comment-id:3245852247 --> @Timshel commented on GitHub (Sep 2, 2025): Sorry for the previous message I had missed that the parse error was not on the discovery but on the parsing of the token itself 😅. I have updated the wiki with both troubleshooting tips: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#troubleshooting
kerem commented 2026-03-03 02:17:46 +03:00
Author
Owner
Copy link

@stefan0xC commented on GitHub (Jan 4, 2026):

I have updated the wiki with both troubleshooting tips: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#troubleshooting

While I think that the problem has already been resolved and thus this issue probably can be closed, I noticed that the link in your comment above https://github.com/dani-garcia/vaultwarden/issues/6230#issuecomment-3243136510 is not working anymore (I'm assuming because you have disabled the issues page in your repository) and thus the first troubleshooting tip in the wiki would be a bit incomplete as well. If you could make your issues accessible again for a day or two I can transfer the steps into the wiki.

<!-- gh-comment-id:3707964651 --> @stefan0xC commented on GitHub (Jan 4, 2026): > I have updated the wiki with both troubleshooting tips: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#troubleshooting While I think that the problem has already been resolved and thus this issue probably can be closed, I noticed that the link in your comment above https://github.com/dani-garcia/vaultwarden/issues/6230#issuecomment-3243136510 is not working anymore (I'm assuming because you have disabled the issues page in your repository) and thus the first troubleshooting tip in the wiki would be a bit incomplete as well. If you could make your issues accessible again for a day or two I can transfer the steps into the wiki.
kerem commented 2026-03-03 02:17:46 +03:00
Author
Owner
Copy link

@Timshel commented on GitHub (Jan 4, 2026):

@stefan0xC reopened the issues and added the content: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect/_compare/dd37eec90be363d159ceabc7f2a5e37b0f5dd805...dfea5723908f2f4e6460add318cbc3d34f85f292

<!-- gh-comment-id:3708392755 --> @Timshel commented on GitHub (Jan 4, 2026): @stefan0xC reopened the issues and added the content: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect/_compare/dd37eec90be363d159ceabc7f2a5e37b0f5dd805...dfea5723908f2f4e6460add318cbc3d34f85f292
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#2375
No description provided.