starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 09:46:00 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #845] Add support for X-Forwarded-User header for external authentication #593

New issue
Closed
opened 2026-03-03 02:01:08 +03:00 by kerem · 7 comments
kerem commented 2026-03-03 02:01:08 +03:00
Owner
Copy link

Originally created by @shift on GitHub (Feb 4, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/845

Subject of the issue

To enable the external authentication (enabling OpenID/SSO) adding the support for a X-Forwarded-User header, would enable this.

Your environment

N/A

Steps to reproduce

ExternalAuth or ForwardAuth added headers (X-Forwarded-User) should allow the application to look up or create the user and log them in. Currently doesn't.

Expected behaviour

ExternalAuth or ForwardAuth added headers (X-Forwarded-User) should allow the application to look up or create the user and log them in.

Actual behaviour

Presented with the login screen.

Relevant logs

N/A

Originally created by @shift on GitHub (Feb 4, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/845 ### Subject of the issue To enable the external authentication (enabling OpenID/SSO) adding the support for a X-Forwarded-User header, would enable this. ### Your environment N/A ### Steps to reproduce ExternalAuth or ForwardAuth added headers (X-Forwarded-User) should allow the application to look up or create the user and log them in. Currently doesn't. ### Expected behaviour ExternalAuth or ForwardAuth added headers (X-Forwarded-User) should allow the application to look up or create the user and log them in. ### Actual behaviour Presented with the login screen. ### Relevant logs N/A
kerem closed this issue 2026-03-03 02:01:08 +03:00
kerem commented 2026-03-03 02:01:09 +03:00
Author
Owner
Copy link

@mqus commented on GitHub (Feb 4, 2020):

If i understand bitwarden right, then the password is not only used for authentication, but also for decryption of the passwords, so using a third-party-authentication doesn't make much sense if you don't also get the password. Could you clarify what exactly you expect,how it would work from a users perspective and at least specify the client you are expecting this to work on? Afaik, upstream clients don't support this, but please correct me if I'm wrong.

<!-- gh-comment-id:582021861 --> @mqus commented on GitHub (Feb 4, 2020): If i understand bitwarden right, then the password is not only used for authentication, but also for decryption of the passwords, so using a third-party-authentication doesn't make much sense if you don't also get the password. Could you clarify what exactly you expect,how it would work from a users perspective and at least specify the client you are expecting this to work on? Afaik, upstream clients don't support this, but please correct me if I'm wrong.
kerem commented 2026-03-03 02:01:09 +03:00
Author
Owner
Copy link

@mprasil commented on GitHub (Feb 6, 2020):

I think @mqus is correct. The password sent to the server is derived from your master password, so you can't really use some form of SSO without somehow compromising the client side encryption. (essentially the same issue as there is with implementing built-in LDAP auth support #677)

<!-- gh-comment-id:582802169 --> @mprasil commented on GitHub (Feb 6, 2020): I think @mqus is correct. The password sent to the server is derived from your master password, so you can't really use some form of SSO without somehow compromising the client side encryption. (essentially the same issue as there is with implementing built-in LDAP auth support #677)
kerem commented 2026-03-03 02:01:09 +03:00
Author
Owner
Copy link

@Crow-Control commented on GitHub (Mar 10, 2020):

@dani-garcia You can close this, this is basically impossible with Bitwarden.

It would require that the server could login the user without actually having the password, which (even with the current mockup LDAP code) would never be possible with Bitwarden.

<!-- gh-comment-id:597311097 --> @Crow-Control commented on GitHub (Mar 10, 2020): @dani-garcia You can close this, this is basically impossible with Bitwarden. It would require that the server could login the user without actually having the password, which (even with the current mockup LDAP code) would never be possible with Bitwarden.
kerem commented 2026-03-03 02:01:09 +03:00
Author
Owner
Copy link

@rperpe commented on GitHub (Jan 7, 2022):

I don't publish any service directly to the internet and therefore users need to authenticate against the reverse proxy in front first.

Therefore I'd like to forward authenticated user's e-mail address as a HTTP header to vaultwarden and skip e-mail prompt.

<!-- gh-comment-id:1007497188 --> @rperpe commented on GitHub (Jan 7, 2022): I don't publish any service directly to the internet and therefore users need to authenticate against the reverse proxy in front first. Therefore I'd like to forward authenticated user's e-mail address as a HTTP header to vaultwarden and skip e-mail prompt.
kerem commented 2026-03-03 02:01:09 +03:00
Author
Owner
Copy link

@Crow-Control commented on GitHub (Jan 7, 2022):

@rperpe The email prompt is part of the webgui source, which is copied mostly from the official repository.
It's not developered by vaultwarden itself.

Also: reverse proxies are inherently incompatible with the vaultwarden App as well.

<!-- gh-comment-id:1007505325 --> @Crow-Control commented on GitHub (Jan 7, 2022): @rperpe The email prompt is part of the webgui source, which is copied mostly from the official repository. It's not developered by vaultwarden itself. Also: reverse proxies are inherently incompatible with the vaultwarden App as well.
kerem commented 2026-03-03 02:01:09 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Jan 7, 2022):

@rperpe commenting on a close ticket isn't that useful mostly.
Also, it isn't possible, since any other auth could cause conflicts with the auth of the server it self.
And, users need to enter there password to decrypt there vault, so there is no SSO at all, not even on the offical Bitwarden app.

There seems to be some way for most clients with some quirks using authelia: https://www.reddit.com/r/selfhosted/comments/kvesf3/authelia_and_bitwarden_via_traefik/

But, we will not support those kind of solutions.

<!-- gh-comment-id:1007509643 --> @BlackDex commented on GitHub (Jan 7, 2022): @rperpe commenting on a close ticket isn't that useful mostly. Also, it isn't possible, since any other auth could cause conflicts with the auth of the server it self. And, users need to enter there password to decrypt there vault, so there is no SSO at all, not even on the offical Bitwarden app. There seems to be some way for most clients with some quirks using authelia: https://www.reddit.com/r/selfhosted/comments/kvesf3/authelia_and_bitwarden_via_traefik/ But, we will not support those kind of solutions.
kerem commented 2026-03-03 02:01:09 +03:00
Author
Owner
Copy link

@GoodiesHQ commented on GitHub (Aug 29, 2023):

I know this is old, but I just want to point out the distinction between authentication and authorization. The authentication portion can be done with SSO to Vaultwarden so your account is provisioned once an SSO claim/token is provided, but you still won't have the option to view passwords or anything until you enter your vaultwarden-specific password. This has the added benefit of the fact that once you get to the Vaultwarden password entry field, your account is already specific to you. This means that you cannot brute force anyone else's account by username/password, since you would have to authenticate as their username via SSO before you can submit the password.

<!-- gh-comment-id:1696878319 --> @GoodiesHQ commented on GitHub (Aug 29, 2023): I know this is old, but I just want to point out the distinction between authentication and authorization. The authentication portion can be done with SSO to Vaultwarden so your account is provisioned once an SSO claim/token is provided, but you still won't have the option to view passwords or anything until you enter your vaultwarden-specific password. This has the added benefit of the fact that once you get to the Vaultwarden password entry field, your account is already specific to you. This means that you cannot brute force anyone else's account by username/password, since you would have to authenticate as their username via SSO before you can submit the password.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#593
No description provided.