[PR #3154] [CLOSED] Sso Support based off existing PR's #3235

New issue

Closed

opened 2026-03-03 09:42:02 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 09:42:02 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/3154
Author: @bmunro-peralex
Created: 1/19/2023
Status: ❌ Closed

Base: main ← Head: sso-support

📝 Commits (1)

f59b11a Add SSO functionality using OpenID Connect

📊 Changes

31 files changed (+1225 additions, -59 deletions)

View changed files

📝 .env.template (+11 -0)
📝 Cargo.lock (+498 -4)
📝 Cargo.toml (+3 -0)
➕ migrations/mysql/2023-02-01-133000_add_sso/down.sql (+1 -0)
➕ migrations/mysql/2023-02-01-133000_add_sso/up.sql (+3 -0)
➕ migrations/postgresql/2023-02-01-133000_add_sso/down.sql (+1 -0)
➕ migrations/postgresql/2023-02-01-133000_add_sso/up.sql (+3 -0)
➕ migrations/sqlite/2023-02-01-133000_add_sso/down.sql (+1 -0)
➕ migrations/sqlite/2023-02-01-133000_add_sso/up.sql (+3 -0)
📝 src/api/core/accounts.rs (+71 -2)
📝 src/api/core/organizations.rs (+37 -0)
📝 src/api/core/two_factor/authenticator.rs (+2 -7)
📝 src/api/core/two_factor/duo.rs (+2 -6)
📝 src/api/core/two_factor/email.rs (+3 -9)
📝 src/api/core/two_factor/mod.rs (+16 -8)
📝 src/api/core/two_factor/webauthn.rs (+2 -6)
📝 src/api/core/two_factor/yubikey.rs (+2 -6)
📝 src/api/identity.rs (+346 -6)
📝 src/auth.rs (+23 -0)
📝 src/config.rs (+29 -0)

...and 11 more files

📄 Description

Based off previous work by @pinpox and @m4w0lf
https://github.com/dani-garcia/vaultwarden/pull/2787
https://github.com/dani-garcia/vaultwarden/pull/2449

All config is now done in the environment variables, removed all unneeded calls.
Bitwarden removed the identify payload from the client so the first organization is always used when using a domain_hint

Currently Working:

Login from all web clients using sso
Creating MasterPassword on new SSO Login when no user exists.

Not Working:

Joining Organization link never fires accept so user never accepts invite during SSO login, normal login after the first SSO login that creates the account works
The above has a workaround that can be enabled to accept all invites on login

How to test:
Add the following environment variables and have at least one organization created in your instance

`
SSO_ENABLED: "true"

SSO_CLIENT_ID: "111111111111111111111111111111111"

SSO_CLIENT_SECRET: "222222222222222222222222222222222222222222222"

SSO_AUTHORITY: "https://auth.example.com"

//Optional
SSO_ACCEPTALL_INVITES: "true"
`

The callback url currently is always:
Replace example.com with your vaultwarden domain.
https://example.com/identity/connect/oidc-signin

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/3154 **Author:** [@bmunro-peralex](https://github.com/bmunro-peralex) **Created:** 1/19/2023 **Status:** ❌ Closed **Base:** `main` ← **Head:** `sso-support` --- ### 📝 Commits (1) - [`f59b11a`](https://github.com/dani-garcia/vaultwarden/commit/f59b11ae76543128f2b6201be0e748b65ab192f7) Add SSO functionality using OpenID Connect ### 📊 Changes **31 files changed** (+1225 additions, -59 deletions) <details> <summary>View changed files</summary> 📝 `.env.template` (+11 -0) 📝 `Cargo.lock` (+498 -4) 📝 `Cargo.toml` (+3 -0) ➕ `migrations/mysql/2023-02-01-133000_add_sso/down.sql` (+1 -0) ➕ `migrations/mysql/2023-02-01-133000_add_sso/up.sql` (+3 -0) ➕ `migrations/postgresql/2023-02-01-133000_add_sso/down.sql` (+1 -0) ➕ `migrations/postgresql/2023-02-01-133000_add_sso/up.sql` (+3 -0) ➕ `migrations/sqlite/2023-02-01-133000_add_sso/down.sql` (+1 -0) ➕ `migrations/sqlite/2023-02-01-133000_add_sso/up.sql` (+3 -0) 📝 `src/api/core/accounts.rs` (+71 -2) 📝 `src/api/core/organizations.rs` (+37 -0) 📝 `src/api/core/two_factor/authenticator.rs` (+2 -7) 📝 `src/api/core/two_factor/duo.rs` (+2 -6) 📝 `src/api/core/two_factor/email.rs` (+3 -9) 📝 `src/api/core/two_factor/mod.rs` (+16 -8) 📝 `src/api/core/two_factor/webauthn.rs` (+2 -6) 📝 `src/api/core/two_factor/yubikey.rs` (+2 -6) 📝 `src/api/identity.rs` (+346 -6) 📝 `src/auth.rs` (+23 -0) 📝 `src/config.rs` (+29 -0) _...and 11 more files_ </details> ### 📄 Description Based off previous work by @pinpox and @m4w0lf https://github.com/dani-garcia/vaultwarden/pull/2787 https://github.com/dani-garcia/vaultwarden/pull/2449 All config is now done in the environment variables, removed all unneeded calls. Bitwarden removed the identify payload from the client so the first organization is always used when using a domain_hint Currently Working: - Login from all web clients using sso - Creating MasterPassword on new SSO Login when no user exists. Not Working: - Joining Organization link never fires accept so user never accepts invite during SSO login, normal login after the first SSO login that creates the account works *The above has a workaround that can be enabled to accept all invites on login* How to test: Add the following environment variables and have at least one organization created in your instance ` SSO_ENABLED: "true" SSO_CLIENT_ID: "111111111111111111111111111111111" SSO_CLIENT_SECRET: "222222222222222222222222222222222222222222222" SSO_AUTHORITY: "https://auth.example.com" //Optional SSO_ACCEPTALL_INVITES: "true" ` The callback url currently is always: Replace example.com with your vaultwarden domain. https://example.com/identity/connect/oidc-signin --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>