[GH-ISSUE #6322] SSO fails in IPv6-only environments #2403

New issue

Closed

opened 2026-03-03 02:17:59 +03:00 by kerem · 5 comments

kerem commented 2026-03-03 02:17:59 +03:00

Owner

Copy link

Originally created by @devksingh4 on GitHub (Sep 23, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6322

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3-a2ad1dc7
• Web-vault version: v2025.8.0
• OS/Arch: linux/aarch64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• TZ environment: America/Chicago
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: false
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, IP_HEADER, SSO_ENABLED, SSO_ONLY, SSO_SIGNUPS_MATCH_EMAIL, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_SCOPES, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": true,
  "domain": "*****://**********************",
  "domain_origin": "*****://**********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 90,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "ACM @ UIUC Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/bitwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": true,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": true,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "************,****************",
  "signups_verify": true,
  "signups_verify_resend_limit": 4,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "************************",
  "smtp_from_name": "ACM @ UIUC Vault",
  "smtp_host": "**********************************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "********************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://*******************************************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://***************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "openid profile offline_access User.Read",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.3-a2ad1dc7

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Caddy 2.1

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04

Clients

Web Vault

Client Version

No response

Steps To Reproduce

1. Deploy to AWS EC2 vm (or similar)
2. Disable IPv4 access (IPv6 only).
3. Enable SSO with Entra ID
4. Click "Use single sign-on" in web vault.

Expected Result

The sign on should succeed and present me with the unlock screen.

Actual Result

The SSO hangs forever.

Logs

Screenshots or Videos

Additional Context

I am using Entra ID for SSO. I have validated that other docker containers on that host are able to use IPv6. login.microsoftonline.com supports IPv6 as well.

Originally created by @devksingh4 on GitHub (Sep 23, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6322 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-a2ad1dc7 * Web-vault version: v2025.8.0 * OS/Arch: linux/aarch64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * TZ environment: America/Chicago * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: false * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, IP_HEADER, SSO_ENABLED, SSO_ONLY, SSO_SIGNUPS_MATCH_EMAIL, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_SCOPES, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": true, "domain": "*****://**********************", "domain_origin": "*****://**********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 90, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": "***", "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "ACM @ UIUC Vaultwarden", "invitations_allowed": true, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": "/data/bitwarden.log", "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": true, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": true, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "************,****************", "signups_verify": true, "signups_verify_resend_limit": 4, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "************************", "smtp_from_name": "ACM @ UIUC Vault", "smtp_host": "**********************************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "********************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://*******************************************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://***************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "openid profile offline_access User.Read", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.34.3-a2ad1dc7 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Caddy 2.1 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 24.04 ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce 1. Deploy to AWS EC2 vm (or similar) 2. Disable IPv4 access (IPv6 only). 3. Enable SSO with Entra ID 4. Click "Use single sign-on" in web vault. ### Expected Result The sign on should succeed and present me with the unlock screen. ### Actual Result The SSO hangs forever. ### Logs ```text ``` ### Screenshots or Videos <img width="553" height="426" alt="Image" src="https://github.com/user-attachments/assets/7232eefb-d031-47ed-b4a6-559cd6a92449" /> ### Additional Context I am using Entra ID for SSO. I have validated that other docker containers on that host are able to use IPv6. login.microsoftonline.com supports IPv6 as well.

kerem 2026-03-03 02:17:59 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-03-03 02:18:01 +03:00

Author

Owner

Copy link

@devksingh4 commented on GitHub (Sep 23, 2025):

This could be related to #6301 ? I don't see any DNS logs in the docker compose logs though.

<!-- gh-comment-id:3324583943 --> @devksingh4 commented on GitHub (Sep 23, 2025): This could be related to #6301 ? I don't see any DNS logs in the docker compose logs though.

kerem commented 2026-03-03 02:18:01 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Sep 23, 2025):

Same for you then. Do you use a DNS64/NAT64 solution?
Because only resolving IPv6 addresses first will then still cause issues with IPv4 only domains.

<!-- gh-comment-id:3324608633 --> @BlackDex commented on GitHub (Sep 23, 2025): Same for you then. Do you use a DNS64/NAT64 solution? Because only resolving IPv6 addresses first will then still cause issues with IPv4 only domains.

kerem commented 2026-03-03 02:18:01 +03:00

Author

Owner

Copy link

@devksingh4 commented on GitHub (Sep 23, 2025):

I am running on AWS which I believe has native IPv6, so no DNS64/NAT64.
login.microsoftonline.com natively supports IPv6 per dig output.

<!-- gh-comment-id:3324619487 --> @devksingh4 commented on GitHub (Sep 23, 2025): I am running on AWS which I believe has native IPv6, so no DNS64/NAT64. login.microsoftonline.com natively supports IPv6 per dig output.

kerem commented 2026-03-03 02:18:01 +03:00

Author

Owner

Copy link

@devksingh4 commented on GitHub (Sep 23, 2025):

Rather, it looks like I gave you all useless debug info :)

It looks like there is no internet at all in an IPv6-only environment - I just noticed it when logging in with SSO:

<!-- gh-comment-id:3324640536 --> @devksingh4 commented on GitHub (Sep 23, 2025): Rather, it looks like I gave you all useless debug info :) It looks like there is no internet at all in an IPv6-only environment - I just noticed it when logging in with SSO: <img width="599" height="71" alt="Image" src="https://github.com/user-attachments/assets/11db3578-8b48-4e4e-87f6-ff48549e1dfb" />

kerem commented 2026-03-03 02:18:01 +03:00

Author

Owner

Copy link

@devksingh4 commented on GitHub (Sep 23, 2025):

Configuration issue on my part 🤦

For future users, you must enable IPv6 in both the docker daemon and the docker compose file. In compose add:

networks:
  bitwarden_network:
    enable_ipv6: true

and assign both your reverse proxy container and the bitwarden to that network.

The admin page will say no internet access, probably as it uses an IPv4-only domain to check.

<!-- gh-comment-id:3324673122 --> @devksingh4 commented on GitHub (Sep 23, 2025): Configuration issue on my part 🤦 For future users, you must enable IPv6 in _both_ the docker daemon and the docker compose file. In compose add: ``` networks: bitwarden_network: enable_ipv6: true ``` and assign both your reverse proxy container and the bitwarden to that network. The admin page will say no internet access, probably as it uses an IPv4-only domain to check.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#2403

No description provided.