mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-16 08:54:01 -05:00
[GH-ISSUE #6650] OIDC: abusive "Invalid audiences" error #19270
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @MathisTLD on GitHub (Jan 2, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6650
Prerequisites
Vaultwarden Support String
Your environment (Generated via diagnostics page)
Config & Details (Generated via diagnostics page)
Show Config & Details
Config:
Vaultwarden Build Version
v1.35.1
Deployment method
Official Container Image
Custom deployment method
No response
Reverse Proxy
traefik 3.6.6
Host/Server Operating System
Linux
Operating System Version
No response
Clients
Web Vault
Client Version
No response
Steps To Reproduce
Try to authenticate using SSO (the instance if fresh)
Expected Result
Should be able to connect using my ZITADEL oidc provider
Actual Result
Auth is rejected and I get the following log
When decoding the Id token with
I get:
Logs
Screenshots or Videos
No response
Additional Context
To me the issue is related to what's discussed in this ZITADEL Issue.
The fact is other services have troubles using ZITADEL as the oidc provider but this comment suggests ZITADEL is implementing the standard.
In addition, the errors mostly occurs with rust based services so I guess we have to look in this direction
In addition (slightly off topic) I don't get why we get an error if
SSO_CLIENT_SECRETis missing or empty while usingSSO_PKCE: true@stefan0xC commented on GitHub (Jan 2, 2026):
We use the
openidconnect-rscrate. So I looked there and found this issue https://github.com/ramosbugs/openidconnect-rs/issues/210#issuecomment-3042803258 about the ID Token validation (which is also mentioned in the issue you posted).Is there no way to restrict ZITADEL from adding other stuff as audience? Otherwise someone would have to add a function that verifies the audience members via set_other_audience_verifier_fn…
@MathisTLD commented on GitHub (Jan 2, 2026):
this comment mentions a workaround for zitadel but I didn't tried it. I just hacked it by crafting the
SSO_AUDIENCE_TRUSTEDregex (which is not ideal).To make it work we could just change the verifier here:
bf37657c08/src/sso_client.rs (L219-L232)I think (but I'm not 100% sure) the logic should be: if "aud" is an array check that
client_idis inside@stefan0xC commented on GitHub (Jan 3, 2026):
That might work but it would not be correct. The spec clearly states that "The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client." - so the only proper way to handle this would be to make it possible to tell which additional audiences are to be trusted.
Ah, I did not know that we had that function with a regex already. Maybe the documentation is a bit lacking but you could list all audience ids as possible values in that regex (e.g.
SSO_AUDIENCE_TRUSTED=(some-other-id|again-some-other-id|a-last-other-id)) and that should work, I think. Have you tried that?edit: I also just noticed the SSO documentation in our wiki has this information about ZITADEL already. though it seems like it recommends your approach.
@MathisTLD commented on GitHub (Jan 3, 2026):
yeah the regexp trick is ok as long as you don't add additional applications tou your zitadel project then you have either to update the regexp each time or use a looser regexp as stated in the doc:
Then it could be useful for some users to be able to configure SSO to accept token when client ID is one of the audiences (as
SSO_AUDIENCE_TRUSTED: '^\d{18}$'doesn't even check for this condition).Then it's more of a feature request than an actual bug sorry.
If for some reason this feature is not desirable we could at least update the docs to say it won't be implemented.
@stefan0xC commented on GitHub (Jan 3, 2026):
Well, if I understand it correctly
openidconnect-rsalways checks for the existence of the client id (and just theother_aud_verifier_fnwould default tofalseif you don't configure a function). So I don't see the point of us setting this totruefor the other audiences besides the client id, when you can just do so via a regex yourself.@MathisTLD commented on GitHub (Jan 3, 2026):
Yeah looking a the source code you gave a link to the client-id is required even if the regex is "allow all". Sorry for the misunderstanding.