[GH-ISSUE #6650] OIDC: abusive "Invalid audiences" error #11309

Closed
opened 2026-04-20 14:54:43 -05:00 by GiteaMirror · 6 comments
Owner

Originally created by @MathisTLD on GitHub (Jan 2, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6650

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.35.1
  • Web-vault version: v2025.12.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.50.2
  • Uses config.json: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://****************",
  "domain_origin": "*****://****************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "debug",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "***********",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://*************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://*********************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "******************",
  "sso_client_secret": "***",
  "sso_debug_tokens": true,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "openid email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.1

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

traefik 3.6.6

Host/Server Operating System

Linux

Operating System Version

No response

Clients

Web Vault

Client Version

No response

Steps To Reproduce

Try to authenticate using SSO (the instance if fresh)

Expected Result

Should be able to connect using my ZITADEL oidc provider

Actual Result

Auth is rejected and I get the following log

[2026-01-02 17:49:28.122][vaultwarden::sso_client][DEBUG] Id token: XXX
[2026-01-02 17:49:28.122][vaultwarden::sso_client][DEBUG] Access token: XXX
[2026-01-02 17:49:28.122][vaultwarden::sso_client][DEBUG] Refresh token: None
[2026-01-02 17:49:28.122][vaultwarden::sso_client][ERROR] Could not read id_token claims, Invalid audiences: `some-other-id` is not a trusted audience

When decoding the Id token with

ID_TOKEN=XXX
echo "$ID_TOKEN" | awk -F. '{print $2}' | sed 's/-/_/g; s/ /+/g' | python3 -c "import sys,base64,json; s=sys.stdin.read().strip(); s += '=' * (-len(s) % 4); print(json.dumps(json.loads(base64.urlsafe_b64decode(s)), indent=2))"

I get:

{
// ...
  "aud": [
    "some-other-id", // the one reported in the error
    "again-some-other-id",
    "<client_id>", // the one  I gave in the SSO_CLIENT_ID
    "a-last-other-id"
  ]
// ...
}

Logs


Screenshots or Videos

No response

Additional Context

To me the issue is related to what's discussed in this ZITADEL Issue.
The fact is other services have troubles using ZITADEL as the oidc provider but this comment suggests ZITADEL is implementing the standard.
In addition, the errors mostly occurs with rust based services so I guess we have to look in this direction

In addition (slightly off topic) I don't get why we get an error if SSO_CLIENT_SECRET is missing or empty while using SSO_PKCE: true

Originally created by @MathisTLD on GitHub (Jan 2, 2026). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6650 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.1 * Web-vault version: v2025.12.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://****************", "domain_origin": "*****://****************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "debug", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "***********", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://*************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*********************************************", "sso_client_cache_expiration": 0, "sso_client_id": "******************", "sso_client_secret": "***", "sso_debug_tokens": true, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "openid email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.35.1 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy traefik 3.6.6 ### Host/Server Operating System Linux ### Operating System Version _No response_ ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce Try to authenticate using SSO (the instance if fresh) ### Expected Result Should be able to connect using my ZITADEL oidc provider ### Actual Result Auth is rejected and I get the following log ``` [2026-01-02 17:49:28.122][vaultwarden::sso_client][DEBUG] Id token: XXX [2026-01-02 17:49:28.122][vaultwarden::sso_client][DEBUG] Access token: XXX [2026-01-02 17:49:28.122][vaultwarden::sso_client][DEBUG] Refresh token: None [2026-01-02 17:49:28.122][vaultwarden::sso_client][ERROR] Could not read id_token claims, Invalid audiences: `some-other-id` is not a trusted audience ``` When decoding the Id token with ```bash ID_TOKEN=XXX echo "$ID_TOKEN" | awk -F. '{print $2}' | sed 's/-/_/g; s/ /+/g' | python3 -c "import sys,base64,json; s=sys.stdin.read().strip(); s += '=' * (-len(s) % 4); print(json.dumps(json.loads(base64.urlsafe_b64decode(s)), indent=2))" ``` I get: ```jsonc { // ... "aud": [ "some-other-id", // the one reported in the error "again-some-other-id", "<client_id>", // the one I gave in the SSO_CLIENT_ID "a-last-other-id" ] // ... } ``` ### Logs ```text ``` ### Screenshots or Videos _No response_ ### Additional Context To me the issue is related to what's discussed in [this ZITADEL Issue](https://github.com/zitadel/zitadel/issues/9200). The fact is other services have troubles using ZITADEL as the oidc provider but [this comment](https://github.com/zitadel/zitadel/issues/9200#issuecomment-2616008701) suggests ZITADEL is implementing the standard. In addition, the errors mostly occurs with rust based services so I guess we have to look in this direction In addition (slightly off topic) I don't get why we get an error if `SSO_CLIENT_SECRET` is missing or empty while using `SSO_PKCE: true`
GiteaMirror added the bug label 2026-04-20 14:54:43 -05:00
Author
Owner

@stefan0xC commented on GitHub (Jan 2, 2026):

We use the openidconnect-rs crate. So I looked there and found this issue https://github.com/ramosbugs/openidconnect-rs/issues/210#issuecomment-3042803258 about the ID Token validation (which is also mentioned in the issue you posted).

Is there no way to restrict ZITADEL from adding other stuff as audience? Otherwise someone would have to add a function that verifies the audience members via set_other_audience_verifier_fn

<!-- gh-comment-id:3706121202 --> @stefan0xC commented on GitHub (Jan 2, 2026): We use the `openidconnect-rs` crate. So I looked there and found this issue https://github.com/ramosbugs/openidconnect-rs/issues/210#issuecomment-3042803258 about the [ID Token validation](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) (which is also mentioned in the issue you posted). Is there no way to restrict ZITADEL from adding other stuff as audience? Otherwise someone would have to add a function that verifies the audience members via [set_other_audience_verifier_fn](https://docs.rs/openidconnect/latest/openidconnect/struct.IdTokenVerifier.html#method.set_other_audience_verifier_fn)…
Author
Owner

@MathisTLD commented on GitHub (Jan 2, 2026):

this comment mentions a workaround for zitadel but I didn't tried it. I just hacked it by crafting the SSO_AUDIENCE_TRUSTED regex (which is not ideal).

To make it work we could just change the verifier here:
bf37657c08/src/sso_client.rs (L219-L232)

I think (but I'm not 100% sure) the logic should be: if "aud" is an array check that client_id is inside

<!-- gh-comment-id:3706478510 --> @MathisTLD commented on GitHub (Jan 2, 2026): [this comment](https://github.com/zitadel/zitadel/issues/9200#issuecomment-2616008701) mentions a workaround for zitadel but I didn't tried it. I just hacked it by crafting the `SSO_AUDIENCE_TRUSTED` regex (which is not ideal). To make it work we could just change the verifier here: https://github.com/dani-garcia/vaultwarden/blob/bf37657c08aa3dd8b9c871d15d00c3a7bbcc756c/src/sso_client.rs#L219-L232 I think (but I'm not 100% sure) the logic should be: if "aud" is an array check that `client_id` is inside
Author
Owner

@stefan0xC commented on GitHub (Jan 3, 2026):

I think (but I'm not 100% sure) the logic should be: if "aud" is an array check that client_id is inside

That might work but it would not be correct. The spec clearly states that "The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client." - so the only proper way to handle this would be to make it possible to tell which additional audiences are to be trusted.

I just hacked it by crafting the SSO_AUDIENCE_TRUSTED regex (which is not ideal).

Ah, I did not know that we had that function with a regex already. Maybe the documentation is a bit lacking but you could list all audience ids as possible values in that regex (e.g. SSO_AUDIENCE_TRUSTED=(some-other-id|again-some-other-id|a-last-other-id)) and that should work, I think. Have you tried that?

edit: I also just noticed the SSO documentation in our wiki has this information about ZITADEL already. though it seems like it recommends your approach.

<!-- gh-comment-id:3706530393 --> @stefan0xC commented on GitHub (Jan 3, 2026): > I think (but I'm not 100% sure) the logic should be: if "aud" is an array check that `client_id` is inside That might work but it would not be correct. The spec clearly states that "The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client." - so the only proper way to handle this would be to make it possible to tell which additional audiences are to be trusted. > I just hacked it by crafting the `SSO_AUDIENCE_TRUSTED` regex (which is not ideal). Ah, I did not know that we had that function with a regex already. Maybe the documentation is a bit lacking but you could list all audience ids as possible values in that regex (e.g. `SSO_AUDIENCE_TRUSTED=(some-other-id|again-some-other-id|a-last-other-id)`) and that should work, I think. Have you tried that? edit: I also just noticed the SSO documentation in our wiki has [this information about ZITADEL already](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#zitadel). though it seems like it recommends your approach.
Author
Owner

@MathisTLD commented on GitHub (Jan 3, 2026):

yeah the regexp trick is ok as long as you don't add additional applications tou your zitadel project then you have either to update the regexp each time or use a looser regexp as stated in the doc:

SSO_AUDIENCE_TRUSTED, may become unmanageable. In such cases, SSO_AUDIENCE_TRUSTED: '^\d{18}$' (18 is the size of each string in aud list, it may differ depending on your Zitadel implementation) would help you but it's safe to individually add all the aud strings like SSO_AUDIENCE_TRUSTED: '^abcd|def|xyz$'.

Then it could be useful for some users to be able to configure SSO to accept token when client ID is one of the audiences (as SSO_AUDIENCE_TRUSTED: '^\d{18}$' doesn't even check for this condition).
Then it's more of a feature request than an actual bug sorry.

If for some reason this feature is not desirable we could at least update the docs to say it won't be implemented.

<!-- gh-comment-id:3707256365 --> @MathisTLD commented on GitHub (Jan 3, 2026): yeah the regexp trick is ok as long as you don't add additional applications tou your zitadel project then you have either to update the regexp each time or use a looser regexp as stated in the doc: > SSO_AUDIENCE_TRUSTED, may become unmanageable. In such cases, SSO_AUDIENCE_TRUSTED: '^\d{18}$' (18 is the size of each string in aud list, it may differ depending on your Zitadel implementation) would help you but it's safe to individually add all the aud strings like SSO_AUDIENCE_TRUSTED: '^abcd|def|xyz$'. Then it could be useful for some users to be able to configure SSO to accept token when client ID is one of the audiences (as `SSO_AUDIENCE_TRUSTED: '^\d{18}$'` doesn't even check for this condition). Then it's more of a feature request than an actual bug sorry. If for some reason this feature is not desirable we could at least update the docs to say it won't be implemented.
Author
Owner

@stefan0xC commented on GitHub (Jan 3, 2026):

Then it could be useful for some users to be able to configure SSO to accept token when client ID is one of the audiences (as SSO_AUDIENCE_TRUSTED: '^\d{18}$' doesn't even check for this condition).

Well, if I understand it correctly openidconnect-rs always checks for the existence of the client id (and just the other_aud_verifier_fn would default to false if you don't configure a function). So I don't see the point of us setting this to true for the other audiences besides the client id, when you can just do so via a regex yourself.

<!-- gh-comment-id:3707284196 --> @stefan0xC commented on GitHub (Jan 3, 2026): > Then it could be useful for some users to be able to configure SSO to accept token when client ID is one of the audiences (as `SSO_AUDIENCE_TRUSTED: '^\d{18}$'` doesn't even check for this condition). Well, if I understand it correctly `openidconnect-rs` [always checks for the existence of the client id](https://github.com/ramosbugs/openidconnect-rs/blob/202c8b1d9338ce2304d87816efb56d4abd0a5bb7/src/verification/mod.rs#L342-L344) (and just [the `other_aud_verifier_fn` would default to `false`](https://github.com/ramosbugs/openidconnect-rs/blob/202c8b1d9338ce2304d87816efb56d4abd0a5bb7/src/verification/mod.rs#L159-L162) if you don't configure a function). So I don't see the point of us setting this to `true` for the other audiences besides the client id, when you can just do so via a regex yourself.
Author
Owner

@MathisTLD commented on GitHub (Jan 3, 2026):

Yeah looking a the source code you gave a link to the client-id is required even if the regex is "allow all". Sorry for the misunderstanding.

<!-- gh-comment-id:3707409111 --> @MathisTLD commented on GitHub (Jan 3, 2026): Yeah looking a the source code you gave a link to the client-id is required even if the regex is "allow all". Sorry for the misunderstanding.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#11309